- edited description
-
assigned issue to
- changed title to BK: Comment 1-1
BK: Comment 1
Issue #83
resolved
Section 1
While it is easy to implement, the encoding in the URI does not allow
application layer security with confidentiality and integrity
protection to be used. While TLS is used to offer communication
nit: this wording is a little hard to read; it might be easier to
reorder to "does not allow application layer security to be used to
provide confidentiality and integrity protection".
The use of application layer security allows requests to be prepared
by a third party so that a client application cannot request more
permissions than previously agreed. This offers an additional degree
of privacy protection.
(side note) what would an example of such a third party be. (We already
have the resource owner, the client, and the authorization server ...
maybe it's a fourth party?)
Furthermore, the request by reference allows the reduction of over-
the-wire overhead.
We only barely mentioned by-reference at this point (one line in the
Abstract), so I'd suggest "passing the request by reference".
(4) its development status that it is an RFC and so is its
associated signing and encryption methods as [RFC7515] and
[RFC7516]
nit: I'd suggest "its development status as a Proposed Standard, along
with the associated signing and encryption methods [RFC7515] [RFC7516]."
(c) (confidentiality protection) The request can be encrypted so
that end-to-end confidentiality can be provided even if the TLS
connection is terminated at one point or another.
nit: TLS is always terminated at or before the user-agent, though. So
maybe the user agent needs to get called out here as well (there could
of course be TLS termination earlier than the user-agent in some cases,
too).
2. When the client does not want to do the crypto. The
Authorization Server may provide an endpoint to accept the
Authorization Request through direct communication with the
Client so that the Client is authenticated and the channel is TLS
protected.
How can you "not want to do [the] crypto" but still be doing TLS (with
crypto)? Perhaps we're looking for "not want to pay the additional
overhead of JWS/JWE cryptography on top of TLS"?
Comments (4)
-
reporter -
reporter - marked as major
-
reporter - changed title to BK: Comment 1
-
reporter - changed status to resolved
→ <<cset 23dbadb14ed1>>
- Log in to comment