Thanks for your review, Kathleen. Draft -04 has been published to address
these comments. Actions taken are described inline.
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of Kathleen Moriarty
Sent: Saturday, October 29, 2016 3:51 AM
To: [email protected]
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-amr-values
Hello,
I reviewed draft-ietf-oauth-amr-values and have a few comments. First, thanks
for your work on this draft!
Several of the authentication methods mentioned are typically used (or
recommended for use) as a second or third factor. I see in section 3 that
multiple methods can be contained in the claim. I'd like to see an example of
single and multiple authentication methods being represented. Was it a WG
decision to leave out examples?
· Added “amr” claim examples with both single and multiple values.
In the Privacy considerations section, I think it should be made clear that the
actual credentials are not part of this specification to avoid additional
privacy concerns for biometric data.
· Clarified that the actual credentials referenced are not part of this
specification to avoid additional privacy concerns for biometric data.
Section 5, shouldn't a pointer be here to the attacks on OAuth 2.0 as well?
· Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to
applications using this specification.
Thank you.
--
Best regards,
Kathleen
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
