Dear oauth WG, I read the draft-ietf-oauth-identity-chaining, and have some concerns about the security considerations section. As it stands it seems to completely ignore the security issues associated with mapping and restricting attributes and assuming that this will work on the other side of the transition. Section 2.5 describes reasons this process might exist, but there's no guidance on what this looks like or the need for both domains A and B to agree on the meaning of the attributes that are being rewritten.
Sincerely, Watson --- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
