Hi Hans, > On 18. Nov 2019, at 04:11, Hans Zandbelt <[email protected]> wrote: > > Hi, > > Please find my feedback from page 21 onwards below. > > Hans. > > Overall I would argue there's room for a very concise guidance section that > says: do this, don't do that, without explanation, just as a reference for > developers; the current text provides in depth analysis but that is perhaps > not suitable for developers who just want to know what to do (or not to do) > and don't really care about the background/reasoning
While section 4 gives the raw security threat analysis, we tried to summarise
the actionable guidance in section 3. What do you miss there?
>
> P21
> first bullet
> "the client has bound this data to this particular instance." -> particular
> instance of what?
This bullet refers to the note above.
"Note: this check could also detect attempts to inject a code which
had been obtained from another instance of the same client on another
device, if certain conditions are fulfilled:"
>
> 3rd paragraph:
> "call to the tokens endpoint." -> "call to the token endpoint."
Fixed
>
> last paragraph could forward point to the next section by adding something
> like
> "using one of the mechanisms described in the next section."
Incorporated
>
> P22
> 3rd paragraph:
> is the token binding guidance still accurate? it seems to be overestimating
> the adoption
You mean this statement?
"Token binding is
promising as a secure and convenient mechanism (due to its browser
integration). As a challenge, it requires broad browser support
and use with native apps is still under discussion.”
Thanks,
Torsten.
>
> --
> [email protected]
> ZmartZone IAM - www.zmartzone.eu
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
