[Ace] Éric Vyncke's No Objection on draft-ietf-ace-oauth-authz-38: (with COMMENT)
Éric Vyncke via Datatracker <noreply@ietf.org> Mon, 22 March 2021 14:56 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: ace@ietf.org
Delivered-To: ace@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E3713A1770; Mon, 22 Mar 2021 07:56:19 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Éric Vyncke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ace-oauth-authz@ietf.org, ace-chairs@ietf.org, ace@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Éric Vyncke <evyncke@cisco.com>
Message-ID: <161642497935.28459.6337296577160925255@ietfa.amsl.com>
Date: Mon, 22 Mar 2021 07:56:19 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/eRsxlO2qwOvtpoqm9_fz6m4C0Wo>
Subject: [Ace] Éric Vyncke's No Objection on draft-ietf-ace-oauth-authz-38: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 14:56:26 -0000
Éric Vyncke has entered the following ballot position for draft-ietf-ace-oauth-authz-38: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for the work put into this document. I have really appreciated the informative and concise section 3 "overview". The flow and the explanations are really superb: if only all published RFC could have this level of quality ;-) While I appreciate that the document shepherd was the past Jim Schaad, I find it weird to read a shepherd's review is for the -21 revision while the balloted revision is -38 as I usually rely on those write-ups to get an idea about the WG consensus... Anyway I am trusting the responsible AD for this I-D. Side note: due to lack of time, I have skipped the security and IANA considerations sections as I trust the responsible AD. Please find below some non-blocking COMMENT points (but replies would be appreciated), and some nits. Last very minor/cosmetic comment about this document as well to the oAuth terminology: using "refresh tokens" sounds weird to me, I would have preferred "permanent tokens" or "long-term tokens", but, I am afraid that the train has left the station for many years ;-) And the same applies for "introspection" that usually is done internally and does not require a third party as in oAuth (but this is another train, which has also left the station...). I hope that this helps to improve the document, Regards, -éric == COMMENTS == -- Section 3 -- Should references/expansions be added for "HTTP/2, MQTT, BLE and QUIC" ? -- Section 3.1 -- Suggest to review the order of the definitions, notably popping up "introspection" as it is used by most of the other terms. -- Section 4 -- Mostly cosmetic, any reason why figure 1 is so far away from its mention in §1 ? In "ensure that its content cannot be modified, and if needed, that the content is confidentiality protected", I wonder why the confidentiality is only optional ? As far as I understand it, the possession of an access token grants access to a ressource, so, it should be protected against sniffing. What did I miss ? In "If the AS successfully processes the request from the client" may look ambiguous because processing correctly (per protocol) an invalid credential is also "successfully processed". Suggest to mention something about "positive authentication" ;) -- Section 5 -- As a non-English native speaker, I cannot see the verb in the second proposition in "For IoT, it cannot be assumed that the client and RS are part of a common key infrastructure, so the AS provisions credentials or associated information to allow mutual authentication.". While I obviously understand the meaning, could it be rephrased ? -- Section 5.1.1 -- Could the word "unprotected" be better defined in "received on an unprotected channel" ? E.g., is it only about TLS ? Else, I like the implicit lack of trust. -- Section 5.1.2 -- I must admit that I have failed to understand the semantic of "audience"... Can you either explain its meaning or provide a reference ? -- Section 5.5 -- In "Since it requires the use of a user agent (i.e., browser)" is it "i.e." or "e.g." ? -- Section 5.6 -- s/the semantics described below MUST be/the semantics described in this section MUST be/ ? In "The default name of this endpoint in an url-path is '/token'" should "SHOULD" normative language be used ? -- Section 5.6.4.1 -- In figure 11, would you mind adding the section ID in addition to RFC 6749 ? I failed to spot them in RFC 6749. -- Section 5.7.2 -- It is a little unclear to me which profile must be used as 'profile' is optionnial? Should a default or any profile be used ? -- Section 5.8.1 -- Suggest to use the BCP14 "SHOULD" in the text "The default name of this endpoint in an url-path is '/authz-info'" -- Section 10.2 -- Is RFC 7049 really an informative reference as CBOR appears as the default encoding ? == NITS == s/application layer protocol/application-layer protocol/ ? Should multi-words message names (e.g., AS Request Creation Hints) be enclosed by quotes ? -- Section 2 -- Please introduce "authz-info" before first use. -- Section 3.1 -- "PoP" is expanded twice in this section ;-) "CBOR encoding (CWT) " the "CWT" acronym does not match the expansion :-) -- Section 4 -- Sometimes "Client" is used and sometimes "client" is used... s/reference to a specific credential/reference to a specific access credential/ ? -- Section 5.1.2 -- Can you introduce to "kid" acronym ? It too me a while to understand that it is (probably) key-id... :-) Unsure whether "nonce: h'e0a156bb3f'," is the usual IETF way to introduce an hexadecimal number. typo in "5.8.4. Key Expriation" :-)
- [Ace] Éric Vyncke's No Objection on draft-ietf-ac… Éric Vyncke via Datatracker
- Re: [Ace] [EXTERNAL] Éric Vyncke's No Objection o… Seitz Ludwig
- Re: [Ace] [EXTERNAL] Éric Vyncke's No Objection o… Eric Vyncke (evyncke)
- Re: [Ace] [EXTERNAL] Éric Vyncke's No Objection o… Seitz Ludwig
- Re: [Ace] [EXTERNAL] Éric Vyncke's No Objection o… Eric Vyncke (evyncke)
- Re: [Ace] [EXTERNAL] Éric Vyncke's No Objection o… Daniel Migault