Hi Justin, On Mon, Apr 20, 2015 at 8:24 AM, Justin Richer <[email protected]> wrote:
> Kathleen, > > Thanks for the update. How would we best handle this situation, since it's > really referring to additional information that's outside the scope of the > interoperable core? Since we're not specifying what the data is, we're not > really in a position to say what the concerns are in a concrete manner. I'm > thinking a sentence or two like this in the privacy considerations section: > > If the protected resource sends additional information about the client's > request to the authorization server using an extension of this > specification, such as the client's IP address or other information, such > information could have have additional privacy considerations. > > I think that looks good and you may want to say it is out-of scope for this draft so no one asks why you didn't go deeper. Let me know once it is ready and I'll kick off last call. Thanks. Kathleen > > > -- Justin > > > On 4/19/2015 7:01 PM, Kathleen Moriarty wrote: > > Hello, > > Thank you for your work on draft-ietf-oauth-introspection-07. The > security considerations appear to be addressed well and I was glad to see > how a response is handled when the response code is false, to not reveal > information as to why. > > The privacy considerations look good, but I do have another question > that should be addressed in the draft in regard to privacy. > > Section 2.1 says an IP address (or something else) might be used to > provide context of the query, the authorization server could have other > information about the client. It would be good to mention privacy related > considerations for the client in this case in addition to what gets > returned in the Introspection Response (already covered). > > Thank you. > > > -- > > Best regards, > Kathleen > > > _______________________________________________ > OAuth mailing [email protected]https://www.ietf.org/mailman/listinfo/oauth > > > -- Best regards, Kathleen
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
