On 04/24/2012 01:17 AM, Mark Mcgloin wrote:
Hi Thomas
Your additional text is already covered in a countermeasure for section
4.1.4. In addition, section 4.1.4.4 states the assumption that the auth
server can't protect against a user installing a malicious client
The more I read this draft, the more borked I think its base assumptions
are. The client *is* one of the main threats. Full stop. A threat document
should not be asking the adversary to play nice. Yet, 4.1.4 bullets 1 and
3 are doing exactly that again. If those are countermeasures, then so is
visualizing world peace.
As for bullet two, it doesn't mention revocation, and I prefer Barry's
section generally. I can't find a section 4.1.4.4
Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
