On Tue, Nov 19, 2019 at 10:38 AM Torsten Lodderstedt < [email protected]> wrote:
> Hi Hans, > > > On 18. Nov 2019, at 04:11, Hans Zandbelt <[email protected]> > wrote: > > > > Hi, > > > > Please find my feedback from page 21 onwards below. > > > > Hans. > > > > Overall I would argue there's room for a very concise guidance section > that says: do this, don't do that, without explanation, just as a reference > for developers; the current text provides in depth analysis but that is > perhaps not suitable for developers who just want to know what to do (or > not to do) and don't really care about the background/reasoning > > While section 4 gives the raw security threat analysis, we tried to > summarise the actionable guidance in section 3. What do you miss there? > I'd rather see it even shorter and more concise, but I guess you're right, it is there > > > > P21 > > first bullet > > "the client has bound this data to this particular instance." -> > particular instance of what? > > This bullet refers to the note above. > > "Note: this check could also detect attempts to inject a code which > had been obtained from another instance of the same client on another > device, if certain conditions are fulfilled:" > ok, I see > > > > 3rd paragraph: > > "call to the tokens endpoint." -> "call to the token endpoint." > > Fixed > > > > > last paragraph could forward point to the next section by adding > something like > > "using one of the mechanisms described in the next section." > > Incorporated > > > > > P22 > > 3rd paragraph: > > is the token binding guidance still accurate? it seems to be > overestimating the adoption > > You mean this statement? > > "Token binding is > promising as a secure and convenient mechanism (due to its browser > integration). As a challenge, it requires broad browser support > and use with native apps is still under discussion.” > yeah, but after re-reading I guess this actually spells out the adoption conditions, so it is fine Hans. > > Thanks, > Torsten. > > > > > -- > > [email protected] > > ZmartZone IAM - www.zmartzone.eu > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > -- [email protected] ZmartZone IAM - www.zmartzone.eu
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
