Hi Eran, I would suggest to change it to SHOULD and add a reference to https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-00 sections 3.7 and 5.2.3.
regards, Torsten. Eran Hammer-Lahav <[email protected]> schrieb: It's a pointless MUST given how undefined the requirements are. It will only be understood by security experts and they don't really need it. At a minimum, it needs some examples. EHL From: Torsten Lodderstedt <[email protected]> Date: Wed, 1 Jun 2011 00:53:37 -0700 To: Eran Hammer-lahav <[email protected]>, OAuth WG <[email protected]> Subject: Section 10.1 (Client authentication) Hi Eran, would you please add the following sentence (which was contained in the original security considerations text) to the second paragraph of section 1.0.1? Alternatively, authorization servers MUST utilize other means than client authentication to achieve their security objectives. I think it's important to state that authorization server should consider alternative way to validate the client identity if secrets cannot be used. The security threat document also suggest some. regards, Torsten.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
