[Last-Call] Secdir last call review of draft-ietf-oauth-dpop-12

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Benjamin Schwartz
Review result: Ready

This is a very mature, carefully drafted specification.

Question: Under Dynamic Client Registration, do we need a mechanism for the
client learn the required signature algorithms?  In general, there is no
discussion of how mutually acceptable signature algorithms might be negotiated.

   Unlike cryptographic
   nonces, it is acceptable for clients to use the same nonce multiple
   times, and for the server to accept the same nonce multiple times.

This suggests that there may be another term that is better than "nonce", such
as "epoch", "session ID", or "tag".

Section 11.4:

   This grant needs to be "silent", i.e., not require interaction with
   the user.

Why? Surely an occasional user authentication refresh is not such a red flag to
ordinary users.


-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux