Comments on draft-ietf-oauth-v2-13:
1. Abstract The 1-line abstract is not helpful - it merely repeats the title. The abstract is important as it is the text most widely seem around the rest of the IETF community (eg in announcements of drafts and RFCs) and beyond. It needs to mention: users delegating access to applications; applications orchestrating that delegation; swapping permanent credentials for short-lived access tokens; and that it uses HTTP. Here is my suggestion: "The OAuth 2.0 authorization protocol allows an application to gain limited permission to access an HTTP service on behalf of a user by orchestrating an approval interaction between the user and the service. OAuth 2.0 uses temporary credentials, issued by an HTTP service either directly to an application or to represent user-delegated permissions. A collection of HTTP services can accept temporary credentials without needing to handle long-term user or application credentials, which can be restricted to a secure service that issues the temporary credentials." I think this text can be understood without knowing any of the specialised terms introduced later in the specification. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
