That works for me. On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk <ka...@mit.edu> wrote:
> On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote: > > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryle...@computer.org> > wrote: > > > > > > > > >> — Section 1.1 — > > > >> Given the extensive discussion of impersonation here, what strikes > me as > > > >> missing is pointing out that impersonation here is still controlled, > > > that “A is > > > >> B” but only to the extent that’s allowed by the token. First, it > might > > > be > > > >> limited by number of instances (one transaction only), by time of > day > > > (only for > > > >> 10 minutes), and by scope (in regard to B’s address book, but not > B’s > > > email). > > > >> Second, there is accountability: audit information still shows that > the > > > token > > > >> authorized acting as B. Is that not worth clarifying? > > > > > > > > My initial response was going to be "sure, I'll add some bits in sec > 1.1 > > > along those lines to clarify > > > > that." However, as I look again at that section for good > opportunities > > > to make such additions, I feel > > > > like it is already said that impersonation is controlled. > > > ... > > > > So I think it already says that and I'm gonna have to flip it back > and > > > ask if you have concrete > > > > suggestions for changes or additions that would say it more clearly > or > > > more to your liking? > > > > > > It is mentioned, true, and that might be enough. But given that Eve > > > also replied that she would like more here, let me suggest something, > > > the use of which is entirely optional -- take it, don't take it, > > > modify it, riff on it, ignore it completely, as you think best. What > > > do you think about changing the last sentence of the paragraph?: "For > > > all intents and purposes, when A is impersonating B, A is B within the > > > rights context authorized by the token, which could be limited in > > > scope or time, or by a one-time-use restriction." > > > > > > > Sure, I think that or some slight modification thereof can work just > fine. > > I'll do that and get it and the rest of these changes published when the > > I-D submission embargo is lifted for Montreal. > > My brain is apparntly storming and not sleeping. Another option for > consideration, is to have two sentences: > > For all intents and purposes, when A is impersonating B, A is B within the > rights context authorized by the token. A's ability to impersonate B could > be limited in scope or time, or even with a one-time-use restriction, > whether via the contents of the token or an out-of-band mechanism. > > -Ben > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
