As promised in the OAuth meeting at IETF 83, I have don a review of
draft-ietf-oauth-v2-http-mac-01. I have sent detailed comments to the
authors, which are summarized below.
This document is in pretty good shape. The definition of the
authentication scheme itself, and the OAuth mechanism for distributing
MAC parameters, both seem clearly specified and easy to implement.
Modulo some minor comments, for example: The current normalized request
seems to protect GET query parameters and not POST; this should either
be corrected or noted.
The main area where I would like to see more work on this document is
around operational considerations. What parameters do servers need to
maintain in order to manage timestamps and nonces? How do they decide
when they can forget nonces?
Thanks to the authors for their good work on this. Looking forward to
seeing the next version.
--Richard
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
