I disagree. Existing deployments that have not mitigated against the concerns with implicit should be ripped up and updated.
For example, at one time, I think it was Instagram that had deployed implicit because it was easier to do. Once the understood the security implications, they changed the implementation. BCPs are rarely a response to a new threat, their are capturing Best Current Practices so that they become widely deployed. On Mon, Dec 3, 2018 at 10:41 AM Brian Campbell <bcampbell= 40pingidentity....@dmarc.ietf.org> wrote: > FWIW I'm somewhat sympathetic to what Vittorio, Dominick, etc. are saying > here. And that was kind of behind the comment I made, or tired to make, > about this in Bangkok, which was (more or less) that I don't think the WG > should be killing implicit outright but rather that it should begin to > recommend against it. > > I'm not exactly sure what that looks like in this document but maybe > toning down some of the scarier language a bit, favoring SHOULDs vs. MUSTs, > and including language that helps a reader understand the recommendations > as being more considerations for new applications/deployments than as a > mandate to rip up existing ones. > > > > On Mon, Dec 3, 2018 at 8:39 AM John Bradley <ve7...@ve7jtb.com> wrote: > >> >> We just need to be sensitive to the spin on this. >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth