William Denniss
2017-06-09 23:40:18 UTC
Thank you for your review.
We've reworked section 8.7 to move the focus away from the user regarding
mitigations for apps that fake external user-agents.
authorization servers and app stores can take. Also covers some "detection
of bad behavior".
We've reworked section 8.7 to move the focus away from the user regarding
mitigations for apps that fake external user-agents.
Ben Campbell has entered the following ballot position for
draft-ietf-oauth-native-apps-11: No Objection
----------------------------------------------------------------------
----------------------------------------------------------------------
I agree with Adam's general sentiment about detection of bad behavior vs
asking people not to be bad.
-8 and it's children: There seems to be a lot of duplication (including
duplication of normative language) between the security considerations
and the rest of the document.
- 8.7: This section seems to argue against using in-app browser tabs in
the first place. If there is no good way for the user to tell the
difference between that and an imbedded UA, then maybe we should train
users to be suspicious of any in-app presentation of the authorization
request? The last paragraph seems to be founded on a mismatch between
user needs and typical user sophistication.
Re-worked this section a lot with a focus on actionable steps thatdraft-ietf-oauth-native-apps-11: No Objection
----------------------------------------------------------------------
----------------------------------------------------------------------
I agree with Adam's general sentiment about detection of bad behavior vs
asking people not to be bad.
-8 and it's children: There seems to be a lot of duplication (including
duplication of normative language) between the security considerations
and the rest of the document.
- 8.7: This section seems to argue against using in-app browser tabs in
the first place. If there is no good way for the user to tell the
difference between that and an imbedded UA, then maybe we should train
users to be suspicious of any in-app presentation of the authorization
request? The last paragraph seems to be founded on a mismatch between
user needs and typical user sophistication.
authorization servers and app stores can take. Also covers some "detection
of bad behavior".