Suggesting that they be read is of course, the right long-term approach. But
as someone who spent 20+ years as a researcher before switching to digital
identity, I was sensitive to not wanting to upstage their work by copying too
much of their material into our draft before their publications were widely
known. I'll of course commit to working the researchers and the working group
to create a self-contained concise description of the threats and mitigations
in the working group document.
Cheers,
-- Mike
-----Original Message-----
From: Hannes Tschofenig [mailto:[email protected]]
Sent: Saturday, February 20, 2016 2:25 AM
To: Mike Jones <[email protected]>; William Denniss
<[email protected]>; Phil Hunt (IDM) <[email protected]>
Cc: [email protected]
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for
Adoption
Hi Mike,
On 02/20/2016 10:52 AM, Mike Jones wrote:
> Have you read both of their publications? If not, do yourself a favor
> and do. They're actually both very readable and quite informative.
I have read both documents. In context of this discussion the question is
whether we
(a) require them to be read (in which case they should be a normative
reference), or
(b) suggest them to be read (since they provide additional background
information). In this case they are an informative reference.
I believe believe we want (b) for the OAuth WG document. While I encourage
everyone to read the publications I also believe that there is lots of material
in there that goes beyond the information our audience typically reads (such as
the text about the formal analysis).
There is probably also a middle-ground where we either copy relevant text from
the papers into the draft or reference specific sections that are "must-read".
One other issue: I actually thought that the threat that is outlined in the
research paper is sufficiently well described but the second threat, which is
called 'cut-and-paste attack', requires more work.
I noted this in my summary mail to the list, see
http://www.ietf.org/mail-archive/web/oauth/current/msg15697.html
Ciao
Hannes
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
