[Gen-art] Genart last call review of draft-ietf-oauth-token-exchange-14
Jari Arkko <jari.arkko@piuha.net> Fri, 03 August 2018 13:49 UTC
Return-Path: <jari.arkko@piuha.net>
X-Original-To: gen-art@ietf.org
Delivered-To: gen-art@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2379813101B; Fri, 3 Aug 2018 06:49:43 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Jari Arkko <jari.arkko@piuha.net>
To: gen-art@ietf.org
Cc: draft-ietf-oauth-token-exchange.all@ietf.org, ietf@ietf.org, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.83.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <153330418307.18499.9986651355808523631@ietfa.amsl.com>
Date: Fri, 03 Aug 2018 06:49:43 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/6McwmxDKW--KNpFZ-0j67RcCkzg>
Subject: [Gen-art] Genart last call review of draft-ietf-oauth-token-exchange-14
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.27
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 13:49:43 -0000
Reviewer: Jari Arkko Review result: Ready I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. Document: draft-ietf-oauth-token-exchange-14 Reviewer: Jari Arkko Review Date: 2018-08-03 IETF LC End Date: 2018-08-06 IESG Telechat date: Not scheduled for a telechat Summary: This specification describes a standardised protocol for requesting and receiving security tokens from an OAuth 2.0 authorisation service. I had no experience on OAuth previously, but the document was understandable and as far as I could determine, had no major issues. It was a bit more difficult to determine completeness. Security and privacy considerations sections were quite short, for instance, and maybe that's justifiable given the ability to refer to prior RFCs on this subject. However, I suspect one could say more, e.g., Section 7 says "Tokens typically carry personal information and their usage in Token Exchange may reveal details of the target services being accessed", but it does not offer any advice on how such details might be minimised. But perhaps that's already in another RFC as well. Major issues: Minor issues: Nits/editorial comments:
- [Gen-art] Genart last call review of draft-ietf-o… Jari Arkko
- Re: [Gen-art] [OAUTH-WG] Genart last call review … Brian Campbell
- Re: [Gen-art] [OAUTH-WG] Genart last call review … Alissa Cooper