Michael Thomas <[email protected]> wrote on 24/04/2012 14:24:47: > > Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel > > On 04/24/2012 01:17 AM, Mark Mcgloin wrote: > > Hi Thomas > > > > Your additional text is already covered in a countermeasure for section > > 4.1.4. In addition, section 4.1.4.4 states the assumption that the auth > > server can't protect against a user installing a malicious client > > > > The more I read this draft, the more borked I think its base assumptions > are. The client *is* one of the main threats. Full stop. A threat document > should not be asking the adversary to play nice. Yet, 4.1.4 bullets 1 and > 3 are doing exactly that again. If those are countermeasures, then so is > visualizing world peace. >
Irrelevant - we are only discussing bullet 2 > As for bullet two, it doesn't mention revocation, and I prefer Barry's > section generally. I can't find a section 4.1.4.4 > Sorry, section 4.4.1.4, not section 4.1.4.4. It is implicit that bad clients will be revoked - for brevity sake, we don't need to spell that out. > Mike > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
