IETF Logo Mail Archive

Re: [OAUTH-WG] Security Considerations Section Proposal -02

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 07 April 2011 16:47 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F2F423A698B for <oauth@core3.amsl.com>; Thu, 7 Apr 2011 09:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.939
X-Spam-Level:
X-Spam-Status: No, score=-1.939 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19oMd77Tw7Z0 for <oauth@core3.amsl.com>; Thu, 7 Apr 2011 09:47:30 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.29.7]) by core3.amsl.com (Postfix) with ESMTP id 931E43A6A1E for <oauth@ietf.org>; Thu, 7 Apr 2011 09:47:30 -0700 (PDT)
Received: from [80.187.101.233] (helo=[192.168.43.164]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1Q7sOP-00039T-GZ; Thu, 07 Apr 2011 18:49:13 +0200
Message-ID: <4D9DEB07.9070302@lodderstedt.net>
Date: Thu, 07 Apr 2011 18:49:11 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <4D9D6759.3070904@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234465664E1A1@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234465664E1A1@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: torsten@lodderstedt-online.de
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Security Considerations Section Proposal -02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2011 16:47:34 -0000

fine with me, you can obtain the source from 
https://github.com/tlodderstedt/oauth2/raw/master/draft-lodderstedt-oauth-securityconsiderations.xml

Am 07.04.2011 16:10, schrieb Eran Hammer-Lahav:
> I think it would be best to publish -16 immediately with this text, mark it as pending consensus, and continue with a single document. This will make it easier for new readers as well as for everyone else.
>
> I will push it out in a couple of hours.
>
> EHL
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Torsten Lodderstedt
>> Sent: Thursday, April 07, 2011 12:27 AM
>> To: OAuth WG
>> Subject: [OAUTH-WG] Security Considerations Section Proposal -02
>>
>> Hi all,
>>
>> I just posted a new revision of the proposed text for the core draft's security
>> considerations section (http://tools.ietf.org/html/draft-lodderstedt-oauth-
>> securityconsiderations-02).
>>
>> The text makes some strong statements wrt client secrets/authentication,
>> HTTPS, refresh tokens and other topics. This is to facilitate a clear and
>> understandable specification while also considering (and supporting) _all_
>> relevant use cases (e.g. native apps).
>>
>> Since this is the last major building block of the draft, we would like to include
>> this text as soon as possible.
>>
>> So please give your feedback soon!
>>
>> thanks in advance,
>> Torsten.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email