On 04/24/2012 10:26 AM, Phil Hunt wrote:
Michael feels the premise for the document is "borked" because his comments are
not included. However, there are those of us that feel the document instead needs to be
sharply edited back to focus even tighter on OAuth specific issues.
Actually, my last call comments were for two different things:
1) remove mitigation bullets that are either wrong, ineffective,
or smarmy platitudes (cf 'borked').
2) make perfectly clear that embedded webviews and native clients
which widely use oauth today do not protect users from rogue clients
gaining access to their credentials. My bullet added to Barry's edits
on this point was mainly to reinforce that authentication servers
have a part to play too.
I would think you'd be happy for #1 :)
Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
