Re: [apps-discuss] Apps Area Review of draft-ietf-oauth-revocation-07
Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 24 April 2013 18:06 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 6135B21F8C38; Wed, 24 Apr 2013 11:06:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.032
X-Spam-Level:
X-Spam-Status: No,
score=0.032 tagged_above=-999 required=5 tests=[BAYES_00=-2.599,
HELO_EQ_DE=0.35, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001,
MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ghs1VybHKwVe;
Wed, 24 Apr 2013 11:06:49 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de
[80.67.29.7]) by ietfa.amsl.com (Postfix) with ESMTP id 0D45B21F896D;
Wed, 24 Apr 2013 11:06:49 -0700 (PDT)
Received: from [79.253.49.97] (helo=[192.168.71.56]) by
smtprelay03.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68)
(envelope-from <torsten@lodderstedt.net>) id 1UV45f-0007R8-1y;
Wed, 24 Apr 2013 20:06:47 +0200
References: <68113CC9-033D-4E61-8190-2D3B9CE92CB0@mnot.net>
<77D6DF69-0715-485F-AF6E-D34D5990F5B1@lodderstedt.net>
<2760360C-76A7-40D3-9B57-157FCA9A7A8A@gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <2760360C-76A7-40D3-9B57-157FCA9A7A8A@gmail.com>
Content-Type: multipart/alternative;
boundary=Apple-Mail-2763BD80-1BD5-465D-8CE9-CE3858B29B30
Content-Transfer-Encoding: 7bit
Message-Id: <EAA8FD66-1F5F-4A36-A1A2-677BD34AC102@lodderstedt.net>
X-Mailer: iPad Mail (10B329)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Wed, 24 Apr 2013 20:06:45 +0200
To: Dick Hardt <dick.hardt@gmail.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "draft-ietf-oauth-revocation.all@tools.ietf.org"
<draft-ietf-oauth-revocation.all@tools.ietf.org>,
Mark Nottingham <mnot@mnot.net>, IESG IESG <iesg@ietf.org>,
"apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Apps Area Review of draft-ietf-oauth-revocation-07
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols
<apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>,
<mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>,
<mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2013 18:06:50 -0000
Hi Dick, Am 24.04.2013 um 19:34 schrieb Dick Hardt <dick.hardt@gmail.com>om>: > Hi Torsten > > Unlike RFC 6749 where the user is starting from documentation, OAuth Revocation is an extension to an existing protocol. > I don't get your point. Revocation is an extension to the OAuth framework. Why is the situation any different from any other endpoint? > FWIW: I agree with Mark that having the revocation URL be returned as an additional parameter in the access token request similar to how the refresh token is preferable. > > Use of the DELETE verb on the revocation URL is a great suggestion and makes the protocol more web like and straight forward. > We discussed this and other alternative options a long time ago and the WG decided to go for the design described in the draft. Regards, Torsten. > -- Dick > > On Apr 24, 2013, at 10:16 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > >> Hi Mark, >> >> thanks for your feedback. I added my comments inline. >> >> Am 24.04.2013 um 02:07 schrieb Mark Nottingham <mnot@mnot.net>et>: >> >>> I have been selected as the Applications Area Review Team reviewer for this draft (for background on apps-review, please see http://www.apps.ietf.org/content/applications-area-review-team). >>> >>> Please resolve these comments along with any other Last Call comments you may receive. Please wait for direction from your document shepherd or AD before posting a new version of the draft. >>> >>> Document: draft-ietf-oauth-revocation-07 >>> Title: Token Revocation >>> Reviewer: Mark Nottingham >>> Review Date: 24 April 2013 >>> IETF Last Call Date: 30 April 2013 >>> IESG Telechat Date: unknown >>> >>> Summary: This draft is has issues that should be fixed before publication. >>> >>> Major Issues: >>> >>> 1) Section 2 states that the means of discovering the revocation endpoint is out of scope of this specification, and that it can be achieved by consulting documentation. >>> >>> This is a poor design choice, at odds with the Web architecture, and fails to provide interoperability. A discovery mechanism should be specified. >> >> >> I'm surprised about your assessment. My draft is just an extension to RFC6749, which leaves discovery out of scope as well. >> In my opinion, how the clients gets to know the revocation URL is a domain or application specific aspect. I expect OAuth profiles, such as OpenID Connect, to define this. >> >>> >>> One way to do it would be to allow the revocation URI to be indicated at an earlier part of the OAuth interchange. >>> >>> Another (potentially simpler) to do it would be to assign a URI to the token itself, and allow a properly authorised client to DELETE that URI; this removes the need to specify a body format. >> >> And there are much more possible options, e.g. using WebFinger. But is their THE discovery mechanism? >>> >>> Minor Issues: >>> >>> 2) The specification title is too broad; "Token Revocation" could apply to many IETF technologies. Suggest "OAuth Token Revocation". >> >> I will change the title. >> >> Regards, >> Torsten. >> >>> >>> -- >>> Mark Nottingham http://www.mnot.net/ >> _______________________________________________ >> apps-discuss mailing list >> apps-discuss@ietf.org >> https://www.ietf.org/mailman/listinfo/apps-discuss >
- [apps-discuss] Apps Area Review of draft-ietf-oau… Mark Nottingham
- Re: [apps-discuss] Apps Area Review of draft-ietf… Torsten Lodderstedt
- Re: [apps-discuss] Apps Area Review of draft-ietf… Dick Hardt
- Re: [apps-discuss] Apps Area Review of draft-ietf… Torsten Lodderstedt
- Re: [apps-discuss] Apps Area Review of draft-ietf… Jan Algermissen
- Re: [apps-discuss] Apps Area Review of draft-ietf… Marius Scurtescu