Hi, I reviewed draft-Ietf-oauth-dyn-reg-20 and have the following questions before we move this to IETF last call.
Sect 2, Has there been any consideration in the WG of using alternate auth methods from HTTPAuth like HOBA? I realize this is referencing Oauth defined methods from the framework draft, but would like to know what was considered or not. HOBA is heading to IETF last call soon. Section 6: why is there a choice on TLS? I'd recommend you make it require 1.2 unless there is a really compelling argument to have that must as either 1.2 or 1.0 Sect 6 paragraph 5 Why are the security recommendations listed as 'could'? Sect 6 paragraph 7 What makes it 'valid and trusted'? The flow of this paragraph could be improved so the terms valid and trusted are connected to earlier statements to separate it better from the plain JSON objects. Please add a section or interspersed statements on privacy considerations. Include text on what may be of concern (names, contacts, etc.) and what can be done to protect the values (interspersed may be easier) or that they may be left out to remove concerns. Thank you, Kathleen Sent from my iPhone _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
