Do we actually need the issued_at? OAuth doesn't have it, and it still has the expires_in parameter. Nat explains that expires_in makes no sense without issued_at if you are using a protocol that has any latency in it at all. If the protocol is pretty much bulletproof in this respect, then you don't really need issued_at. We agreed to keep both, and also keep their required/optional wording, and let the OAuth group discuss it. OK.
Eve's latest edit to Domenico's diagram adds three asterisked items, reflecting a requester-oriented flow. Without them, it could serve as a host-oriented flow. Regarding the very last step, how would the AS provision the native app with credentials? Nat suggests that something like a notification service would typically be used.
Nat asks whether there is supposed to be a Dev.com->MobileApp interaction after the latter's authentication cycle. If
Dev.com can return a signed value to MobileApp ahead of time with which
Dev.com prepares some metadata uniquely for it, then MobileApp could approach the AS as in Maciej's flow.
Nat will try to do a hybrid flow that we can include in the draft, as a TODO (even if we submit it in that form). Eve will add a third type parameter value for this, called "native-app".
Regarding how to handle signing in the push and pull cases, Nat thinks we can just refer to the OAuth signature solution rather than including precise wording.
Should we mention that the pull scenario requires that the AS correlate the domain of the approaching client with the supplied client_url? This is, in fact, a security consideration. The key thing that makes "pull" more secure is this check. Nat will find some wording on this. OK.
Is the propagation problem improved? We believe so, as long as the client is pushing a URL to the same server that's going to do the pull.
We should probably add HTTP POST examples where necessary. OK.
Which endpoints should require HTTPS? We need to require that endpoints use HTTPS or that the request message to it be signed, and we need to add a security consideration saying that we expect this to be profiled down (e.g. to require both) for higher assurance. OK.