Thank you for your review. We've reworked section 8.7 to move the focus away from the user regarding mitigations for apps that fake external user-agents.
On Tue, May 23, 2017 at 2:48 PM, Ben Campbell <[email protected]> wrote: > Ben Campbell has entered the following ballot position for > draft-ietf-oauth-native-apps-11: No Objection > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I agree with Adam's general sentiment about detection of bad behavior vs > asking people not to be bad. > > -8 and it's children: There seems to be a lot of duplication (including > duplication of normative language) between the security considerations > and the rest of the document. > > - 8.7: This section seems to argue against using in-app browser tabs in > the first place. If there is no good way for the user to tell the > difference between that and an imbedded UA, then maybe we should train > users to be suspicious of any in-app presentation of the authorization > request? The last paragraph seems to be founded on a mismatch between > user needs and typical user sophistication. > > > Re-worked this section a lot with a focus on actionable steps that authorization servers and app stores can take. Also covers some "detection of bad behavior".
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
