Justin Richer <[email protected]> writes:
> I think the concern here is that rotation of client credential is not
> something discussed before. Before we put it in the spec we should
> consider the reasons for doing it and what problems it solves.
>
> The client doesn't get to choose when its credentials get rotated. It used to
> be able to, but now it's purely the server's choice, including whether or not
> it wants to rotate things at all. I think this confusion can be cleared up
> with the explicit lifecycle discussion getting pulled out into one place.
>From a security standpoint, either side should be able to rotate keys.
It should not be only one side's choice; either side should have the
option to refresh due to local policy (or worse, local knowledge of an
issue).
-derek
--
Derek Atkins 617-623-3745
[email protected] www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
