Hi. Thanks for the detailed comments.
Here are the responses to the questions raised in [1]
[1] http://www.tschofenig.priv.at/oauth/draft-ietf-oauth-spop-00-hannes.doc
3.1 [Question: Would it make sense to provide some information also in the
Dynamic Client Registration specification? I am a
Responses inline:
2014-08-29 10:00 GMT+09:00 Mike Jones michael.jo...@microsoft.com:
Here's some feedback on the document.
First, while I believe that the document is a good first working group
draft and this specification is important, it is not ready for last call,
since there are
On #1, I know some have pushed for having the transformation options so I
don't know if dropping it will work. But, if not removed entirely, the
transformation stuff could definitely be deemphasized in favor of what will
be the most common case of the client sending a random string value on the
Hi James and Brian,
First, I apologize for taking a long time to respond to James.
My responses inline:
2014-09-03 2:49 GMT+09:00 Brian Campbell bcampb...@pingidentity.com:
On #1, I know some have pushed for having the transformation options so I
don't know if dropping it will work. But, if
I don't think the inclusion of a MAC transform to protect the request is
necessary for it to be called proof of possession.
The other way to protect the request is with a signed/encrypted request object.
That is heaver weight than the HMAC transform.
I may have come up with the trick of
I support the use of public key. As I remember, our discussion started
there.
I still believe this is something that is needed to be standardized.
However, for spop use case, we have determined that is overkill and best
left for another draft.
It looks like there is a strong support in the
Thanks for the review, Tom. I've cc'ed the OAuth working group so that they're
aware of the contents of your review.
-- Mike
-Original Message-
From: Tom Taylor [mailto:tom.taylor.s...@gmail.com]
Sent: Saturday, August 23, 2014 8:39 PM
To: