[apps-discuss] Apps Area Review of draft-ietf-oauth-revocation-07

Mark Nottingham <mnot@mnot.net> Wed, 24 April 2013 00:08 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 2C8E321F93CA; Tue, 23 Apr 2013 17:08:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.518
X-Spam-Status: No, score=-106.518 tagged_above=-999 required=5 tests=[AWL=-3.919, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id LGjhb8gg2F25; Tue, 23 Apr 2013 17:08:00 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net []) by ietfa.amsl.com (Postfix) with ESMTP id 6E91D21F93B9; Tue, 23 Apr 2013 17:08:00 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id D1894509B6; Tue, 23 Apr 2013 20:07:54 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Wed, 24 Apr 2013 10:07:50 +1000
Message-Id: <68113CC9-033D-4E61-8190-2D3B9CE92CB0@mnot.net>
To: "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>, draft-ietf-oauth-revocation.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
X-Mailer: Apple Mail (2.1503)
Cc: IESG IESG <iesg@ietf.org>
Subject: [apps-discuss] Apps Area Review of draft-ietf-oauth-revocation-07
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2013 00:08:01 -0000

I have been selected as the Applications Area Review Team reviewer for this draft (for background on apps-review, please see http://www.apps.ietf.org/content/applications-area-review-team).

Please resolve these comments along with any other Last Call comments you may receive. Please wait for direction from your document shepherd or AD before posting a new version of the draft.

Document: draft-ietf-oauth-revocation-07
Title: Token Revocation
Reviewer: Mark Nottingham
Review Date: 24 April 2013
IETF Last Call Date: 30 April 2013
IESG Telechat Date: unknown

Summary: This draft is has issues that should be fixed before publication.

Major Issues:

1) Section 2 states that the means of discovering the revocation endpoint is out of scope of this specification, and that it can be achieved by consulting documentation. 

This is a poor design choice, at odds with the Web architecture, and fails to provide interoperability. A discovery mechanism should be specified.

One way to do it would be to allow the revocation URI to be indicated at an earlier part of the OAuth interchange. 

Another (potentially simpler) to do it would be to assign a URI to the token itself, and allow a properly authorised client to DELETE that URI; this removes the need to specify a body format.

Minor Issues:

2) The specification title is too broad; "Token Revocation" could apply to many IETF technologies. Suggest "OAuth Token Revocation".

Mark Nottingham   http://www.mnot.net/