Hi Mike, Phil, Tony, I have read through draft-ietf-oauth-amr-values-01. My earlier comments have been addressed.
As a shepherd I nevertheless have a few questions/remarks: 1) The term 'multiple-channel authentication' is unfamiliar to me. Could you give me an example or a reference to a specification? 2) PIN: The use of RFC 2119 language appears to be inappropriate. 3) Could you explain me what 'risk-based authentication' is? While you provided a reference 4) Could we generalize the term 'wia' to operating systems other than Windows as well? 5) I am not sure whether all normative references indeed need to be declared as such. For example, 'otp' is defined in a very generic fashion but you list HTOP, and TOTP as normative references. I would rather see HTOP and TOTP as a standardized examples of one-time-passwords. IMHO the story would be different if you indeed want to differentiate between the different technical mechanisms itself. This is a reasonable approach as well if the security differences between the mechanisms is important for the given application. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
