I was responding to the structure question only. The token text is questionable sine the tokens are opaque to the core, seems like the token write-up better belongs in the threat model document. Developers of the various token specs and use this as guidance and reference it.
From: Brian Eaton [mailto:[email protected]] Sent: Thursday, July 07, 2011 10:59 AM To: Anthony Nadalin Cc: Eran Hammer-Lahav; [email protected]; Mark Mcgloin ([email protected]); Torsten Lodderstedt ([email protected]); Phil Hunt ([email protected]) Subject: Re: [OAUTH-WG] security considerations - authorization tokens On Thu, Jul 7, 2011 at 10:49 AM, Anthony Nadalin <[email protected]<mailto:[email protected]>> wrote: When we constructed the current structure in Prague we thought that structure best fit the needs of a implementer, so my preference would be to keep it as it is now but, Torsten / Mark / Phil also may have feedback. Really? The current doc has *no guidelines* on how to implement authorization tokens whatsoever. So even if you like the current organization of the security considerations, I suspect you'll agree it would make sense to offer some guidance on how these tokens ought to be implemented.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
