Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-02.txt

Fri, 20 Dec 2013 13:57:08 -0800 

Hi
IMHO the fact the transformation of the code_verifier is pluggable is a major improvement, and the whole text somehow reads much easier (few minor typos in the introduction). 


The only doubt is about the 'MUST' bit where the client is expected to 
figure out that the server supports this spec. Not a problem for me as I 
don't work on implementing a client, but it seems like it makes the 
whole process suddenly much more complex than may be it should be.



Would it make sense to change 'MUST' to 'RECOMMENDED' and have the 
authorization service return a code_verifier_accepted or some similar 
response parameter, alongside with the 'code', instead ? Not really though,


Cheers, Sergey



On 19/10/13 11:15, Nat Sakimura wrote:

Incorporated the discussion at Berlin meeting and after in the ML.

Best,

Nat

---------- Forwarded message ----------
From: ** <[email protected] <mailto:[email protected]>>
Date: 2013/10/19
Subject: New Version Notification for draft-sakimura-oauth-tcse-02.txt
To: Nat Sakimura <[email protected] <mailto:[email protected]>>, John
Bradley <[email protected] <mailto:[email protected]>>,
Naveen Agarwal <[email protected] <mailto:[email protected]>>



A new version of I-D, draft-sakimura-oauth-tcse-02.txt
has been successfully submitted by Nat Sakimura and posted to the
IETF repository.

Filename:        draft-sakimura-oauth-tcse
Revision:        02
Title:           OAuth Symmetric Proof of Posession for Code Extension
Creation date:   2013-10-19
Group:           Individual Submission
Number of pages: 8
URL: http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-02.txt
Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-02
Diff: http://www.ietf.org/rfcdiff?url2=draft-sakimura-oauth-tcse-02

Abstract:
    The OAuth 2.0 public client utilizing authorization code grant is
    susceptible to the code interception attack.  This specification
    describe a mechanism that acts as a control against this threat.





Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org>.

The IETF Secretariat




--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth























					Reply via email to