[Ace] Zaheduzzaman Sarker's No Objection on draft-ietf-ace-oauth-authz-38: (with COMMENT)
Zaheduzzaman Sarker via Datatracker <noreply@ietf.org> Wed, 24 March 2021 01:26 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: ace@ietf.org
Delivered-To: ace@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF253A1C66; Tue, 23 Mar 2021 18:26:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Zaheduzzaman Sarker via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ace-oauth-authz@ietf.org, ace-chairs@ietf.org, ace@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com>
Message-ID: <161654919034.11287.3733524988551405831@ietfa.amsl.com>
Date: Tue, 23 Mar 2021 18:26:30 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/woNObEajKc57BXO0fh3qDwoUHUU>
Subject: [Ace] Zaheduzzaman Sarker's No Objection on draft-ietf-ace-oauth-authz-38: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2021 01:26:31 -0000
Zaheduzzaman Sarker has entered the following ballot position for draft-ietf-ace-oauth-authz-38: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for working on this document. I found the overview section very helpful to setup the knowledge required to absorb the rest of the document. I have following observations and/or nits, hopefully this will improve this document - * Section 1: For web applications on constrained nodes, this specification RECOMMENDS the use of the Constrained Application Protocol (CoAP) [RFC7252] as replacement for HTTP. I can't parse the normative text "RECOMMENDS " :-). I believe if normative text is used here then "RECOMMEND" or "RECOMMENDED" should be used. By the way, there are more occurrence of "RECOMMENDS " in this document. The same comment applied for those occurrences . * Section 2 : I would suggest to drop "we use" from the beginning of last two paragraphs in this section and write those paraphaphs in passive form to harmonize with rest of the section. * Section 3.1 : Introspection is a method for a resource server to query the authorization server for the active state and content of a received access token. This is particularly useful in those cases where the authorization decisions are very dynamic and/or where the received access token itself is an opaque reference rather than a self-contained token. More information about introspection in OAuth 2.0 can be found in [RFC7662]. I got gradually introduced in this document that potentially the client can also use the method to query for more information (Section 5.9) via RS. I think it will be helpful if this is described early that RS and client both can use the introspection offered by AS. * Section 4 : Figure 1 The use of (optional) here is a bit confusing. The (optional) tag in (B) means it is optional to include refresh token. For (D) and (E) the meaning of (optional) is completely different. The response to the Introspection Request is not optional, is it?.. but that interaction between AS and RS is optional. It might be good to separate the use of "optional" in this figure / or amend the figure in a different way to avoid such confusion. * Section 5.2 : The request has been received on an unprotected channel. The definition of "unprotected" would be appropriated here. does this refer to secure communication channel? * Section 5.10.1. : Typo : s/Section Section / Section
- [Ace] Zaheduzzaman Sarker's No Objection on draft… Zaheduzzaman Sarker via Datatracker
- Re: [Ace] [EXTERNAL] Zaheduzzaman Sarker's No Obj… Seitz Ludwig