Thank you for the comments, Roman. Thank you for your suggestion, Warren.
I prefer Roman's solution because I'd like to keep the policy/configuration/scenario part. I think it helps to explain _why_ these decisions are out of the scope for this specification.
Best regards, Karsten On 27.10.2021 22:10, Warren Parad wrote:
Would making it even simpler also work? (and is more consistent with the 6749 language)The decision of whether to accept such responses is beyond the scope of this specification. Warren Parad Founder, CTOSecure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>.On Wed, Oct 27, 2021 at 9:41 PM Roman Danyliw <r...@cert.org> wrote: Hi! I performed an AD review of draft-ietf-oauth-iss-auth-resp-02. Thanks for documenting this mitigation. The document is in good shape so I am advancing it to IETF LC. Please treat these minor comments as part of that feedback: ** Section 2.4. Editorial. The decision of whether to accept such responses is individual for every scenario and it is not in the scope of this specification. Would it be more clear to say: "Local policy or configuration can determine whether to accept such responses and specific guidance is out of scope for this specification." There is also similar language in the next paragraph. ** Section 5.1 and 5.2. Per the "Change Control" field, please s/IESG/IETF/ Thanks, Roman _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
-- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog: https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
