>
> Aaron, I believe you’re trying to optimize the wrong thing. You’re
> concerned about “the amount of explanation this will take”. That’s
> optimizing for spec simplicity – a goal that I do understand. However, by
> writing these few sentences or paragraphs, we’ll make it clear to
> developers
I will be taking notes using the following link.
https://docs.google.com/document/d/1tPxkaOf74szvDLSEpzXV8lMgSEwcHYMC73OUOv3BKxQ/edit?usp=sharing
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152
On Fri, May 8, 2020 at 5:25 PM Rifaat Shekh-Yusef
wrote:
> All,
>
> You
Hi Denis,
Sorry for the slow response. I had several deadlines this week and
couldn't think much farther ahead than the next one, so my INBOX fell
behind.
On Mon, May 04, 2020 at 12:36:05PM +0200, Denis wrote:
> Hello Benjamin,
>
> First of all, you don't need to use an aggressive language to s
All,
You can find the meeting material for the May 11th meeting at the
following link:
https://datatracker.ietf.org/meeting/interim-2020-oauth-08/session/oauth
Regards,
Rifaat
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/
Actually, the first paragraph of the Security BCP section at
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1,
which has gone through WGLC, includes the use of “nonce” to prevent
authorization code injection as a best practice. That’s already a pretty
strong stamp
On Fri, May 8, 2020 at 12:42 PM Aaron Parecki wrote:
> > FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is
> OAuth 2.0 with best practices.
>
> The line there is kind of fuzzy. The objective is not to introduce new
> concepts, however there are some changes defined that are
We are not discussing anything new here. We are discussing adoption of best
practice.
The disconnect appears to be that one dependent standard’s “typical” use
(nonces) does not have the ietf consensus as best practice.
This lack of consensus needs to be resolved.
Phil
> On May 8, 2020, at
> FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is
OAuth 2.0 with best practices.
The line there is kind of fuzzy. The objective is not to introduce new
concepts, however there are some changes defined that are "breaking
changes" from plain OAuth 2.0, because those things b
FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is
OAuth 2.0 with best practices.
On Thu, May 7, 2020 at 10:36 PM Philippe De Ryck <
phili...@pragmaticwebsecurity.com> wrote:
> From working with a lot of developers on understanding OAuth 2.0 and OIDC,
> I definitely vote for
Daniel, you wrote:
> We would then have:
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
> except if you are a public client, then you still need PKCE.
> - use state, except if you use PKCE, then you don't need state.
I believe that this is an accurate statement of th
+1
Phil
> On May 7, 2020, at 11:50 PM, Daniel Fett wrote:
>
>
> +1 to all what Aaron said. Thanks for pointing this out!
>
> We need to address this in the security BCP and this will be a normative
> change that affects OpenID Connect Core (just as our current recommendation
> on the usag
The following errata report has been submitted for RFC6750,
"The OAuth 2.0 Authorization Framework: Bearer Token Usage".
--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6161
--
Type: Editorial
Hi Daniel,
Thank you for pointing to your dissertation which has the following
title : An Expressive Formal Model of the Web Infrastructure.
Since it is 240 pages long (or thick), I have not read everything but
some sentences brought my attention.
I have experienced formal models in the pas
13 matches
Mail list logo