[Ace] Review of draft-ietf-ace-oauth-authz -12

Jim Schaad <ietf@augustcellars.com> Tue, 19 June 2018 18:05 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0620D1311B8; Tue, 19 Jun 2018 11:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id lCzD1Si5XRQF; Tue, 19 Jun 2018 11:05:28 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E944130DCA; Tue, 19 Jun 2018 11:05:25 -0700 (PDT)
Received: from Jude ( by mail2.augustcellars.com ( with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 19 Jun 2018 11:02:20 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: draft-ietf-ace-oauth-authz@ietf.org
CC: ace@ietf.org
Date: Tue, 19 Jun 2018 11:05:17 -0700
Message-ID: <01c601d407f8$16621ec0$43265c40$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AdQGcXKF8YIRrZ4rROuMt4FYvHdJPQ==
X-Originating-IP: []
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/UwLW7yhbVBlwrWfl1uAaJa-CbBA>
Subject: [Ace] Review of draft-ietf-ace-oauth-authz -12
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 18:05:30 -0000

Based on where I currently am, here is another review of the document.

1.  In section 4 for Figure one:  Is the term "RS Information" your term or
an OAuth term.  When I see this I think of it as information for not about
the RS which I do not believe is the intent.

2.  In section 5.1 - I am unclear what the second paragraph is supposed to
be doing here.  I think that you want state this different.  Rather than
talking about the "desired resource" you may want to talk about the AS.
That would better match the title of the section.

3.  In section 5.1 - There is a note in this section that does not seem to
be extremely useful.  Where is this discussion go on?  Is it still going on?
I am not even sure if the statement about a common understanding of time is
correct?  It seems that one can either add or not add the nonce as an RS
depending on if you think you understand a common time.

4.  In section 5.3 - There is a reference to I-D.erdtman-ace-rpcc.  Given
the use of POP tokens, what is the reason for this draft and the text about
client credential types?  (Put it this way.  I did not need to implement
this for anything yet.  Why is it here?)

Given 15 different introspection tokens, how do I decide which is the one to
present to the AS - enumerate them?

'authorization code' vs 'decode code' grants