Hi Justin,

On Mon, Apr 20, 2015 at 8:24 AM, Justin Richer <[email protected]> wrote:

>  Kathleen,
>
> Thanks for the update. How would we best handle this situation, since it's
> really referring to additional information that's outside the scope of the
> interoperable core? Since we're not specifying what the data is, we're not
> really in a position to say what the concerns are in a concrete manner. I'm
> thinking a sentence or two like this in the privacy considerations section:
>
> If the protected resource sends additional information about the client's
> request to the authorization server using an extension of this
> specification, such as the client's IP address or other information, such
> information could have have additional privacy considerations.
>
>
I think that looks good and you may want to say it is out-of scope for this
draft so no one asks why you didn't go deeper.

Let me know once it is ready and I'll kick off last call.

Thanks.
Kathleen

>
>
> -- Justin
>
>
> On 4/19/2015 7:01 PM, Kathleen Moriarty wrote:
>
> Hello,
>
>  Thank you for your work on draft-ietf-oauth-introspection-07.  The
> security considerations appear to be addressed well and I was glad to see
> how a response is handled when the response code is false, to not reveal
> information as to why.
>
>  The privacy considerations look good, but I do have another question
> that should be addressed in the draft in regard to privacy.
>
>  Section 2.1 says an IP address (or something else) might be used to
> provide context of the query, the authorization server could have other
> information about the client.  It would be good to mention privacy related
> considerations for the client in this case in addition to what gets
> returned in the Introspection Response (already covered).
>
>  Thank you.
>
>
>  --
>
> Best regards,
> Kathleen
>
>
> _______________________________________________
> OAuth mailing [email protected]https://www.ietf.org/mailman/listinfo/oauth
>
>
>


-- 

Best regards,
Kathleen
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to