[Gen-art] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-18.txt

Alexey Melnikov <alexey.melnikov@isode.com> Tue, 10 April 2012 14:02 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5439211E80D5; Tue, 10 Apr 2012 07:02:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.338
X-Spam-Status: No, score=-102.338 tagged_above=-999 required=5 tests=[AWL=0.261, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id n9EswgLPvxrz; Tue, 10 Apr 2012 07:02:36 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com []) by ietfa.amsl.com (Postfix) with ESMTP id 52E8211E80D3; Tue, 10 Apr 2012 07:02:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1334066555; d=isode.com; s=selector; i=@isode.com; bh=bYQCBLIapiUTmkuq8okRogKIFoQ5k3TMEx2zcTMW47E=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=cUKknYQcFaZrKmvjSkIP/Z1yOODUoHiUWhjaFTJl6b7p1UMtT5K7Ib4zxjjTzZ+xQmoeuM yWiQjxhzOP3QpfB0yuzEcoWRtTPZUV2kAzQndzsco4hjn6DFDET7W/fIgVp81/gEz/Rztp c0YBGOkJG2mx/5b4XWcU+LcWaVt9GXk=;
Received: from [] (shiny.isode.com []) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T4Q9egAg23l2@rufus.isode.com>; Tue, 10 Apr 2012 15:02:35 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4F843DA1.8080703@isode.com>
Date: Tue, 10 Apr 2012 15:03:13 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>
References: <4F2575CE.9040001@isode.com> <4E1F6AAD24975D4BA5B16804296739436638B7AD@TK5EX14MBXC284.redmond.corp.microsoft.com> <4F27C37C.1090008@isode.com> <4F843A22.4020908@isode.com>
In-Reply-To: <4F843A22.4020908@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: General Area Review Team <gen-art@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, The IESG <iesg@ietf.org>
Subject: [Gen-art] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-18.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2012 14:02:37 -0000

I am the assigned Gen-ART reviewer for this draft. For background on 
Gen-ART, please see the FAQ at 

Please resolve these comments along with any other Last Call comments 
you may receive.
Document: draft-ietf-oauth-v2-bearer-18.txt
Reviewer: Alexey Melnikov
Review Date: 10 April 2012
IETF LC End Date: 7 Feb 2012
IESG Telechat date: 12 April 2012

Summary: Nearly ready to be published as Proposed Standard, with a 
couple of things that should be addressed or at least discussed.

Thank you for addressing most of my other issues. However there are a 
couple remaining which I think are important.

Major Issues:

    The "scope" attribute is a space-delimited list of scope values
    indicating the required scope of the access token for accessing the
    requested resource.  In some cases, the "scope" value will be used
    when requesting a new access token with sufficient scope of access to
    utilize the protected resource.  The "scope" attribute MUST NOT
    appear more than once.  The "scope" value is intended for
    programmatic use and is not meant to be displayed to end users.

I don't think this provide enough information about what this is, how it 
is to be used and which values are allowed. As this is not meant to be 
displayed to end users, then you need to say what values are allowed and 
which entity can allocate them. Is there a registry for these tokens, 
e.g. an IANA registry?

The editor provided explanation in email, however this was not reflected 
in any version of the draft.

2). Section "3.1.  Error Codes"

I've suggested to use an IANA registry for this field. Apparently there 
is already a registry created by 
However this document doesn't register values defined in section 3.1 
with IANA and doesn't point to draft-ietf-oauth-v2-23 for the registry. 
I find this to be very confusing.

Minor issues: none

Nits: none