Ben Campbell has entered the following ballot position for draft-ietf-oauth-native-apps-11: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I agree with Adam's general sentiment about detection of bad behavior vs asking people not to be bad. -8 and it's children: There seems to be a lot of duplication (including duplication of normative language) between the security considerations and the rest of the document. - 8.7: This section seems to argue against using in-app browser tabs in the first place. If there is no good way for the user to tell the difference between that and an imbedded UA, then maybe we should train users to be suspicious of any in-app presentation of the authorization request? The last paragraph seems to be founded on a mismatch between user needs and typical user sophistication. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
