Kathleen,

Thanks for the update. How would we best handle this situation, since it's really referring to additional information that's outside the scope of the interoperable core? Since we're not specifying what the data is, we're not really in a position to say what the concerns are in a concrete manner. I'm thinking a sentence or two like this in the privacy considerations section:

   If the protected resource sends additional information about the
   client's request to the authorization server using an extension of
   this specification, such as the client's IP address or other
   information, such information could have have additional privacy
   considerations.



-- Justin

On 4/19/2015 7:01 PM, Kathleen Moriarty wrote:
Hello,

Thank you for your work on draft-ietf-oauth-introspection-07. The security considerations appear to be addressed well and I was glad to see how a response is handled when the response code is false, to not reveal information as to why.

The privacy considerations look good, but I do have another question that should be addressed in the draft in regard to privacy.

Section 2.1 says an IP address (or something else) might be used to provide context of the query, the authorization server could have other information about the client. It would be good to mention privacy related considerations for the client in this case in addition to what gets returned in the Introspection Response (already covered).

Thank you.


--

Best regards,
Kathleen


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to