IETF Logo Mail Archive

Re: [Last-Call] [Gen-art] Genart last call review of draft-ietf-oauth-rar-15

Robert Sparks <rjsparks@nostrum.com> Thu, 17 November 2022 22:45 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF47C14F606; Thu, 17 Nov 2022 14:45:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.077
X-Spam-Level:
X-Spam-Status: No, score=-2.077 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nostrum.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xu-vAaowfHEo; Thu, 17 Nov 2022 14:45:41 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C245C14CF16; Thu, 17 Nov 2022 14:45:39 -0800 (PST)
Received: from [192.168.1.102] ([47.186.48.51]) (authenticated bits=0) by nostrum.com (8.17.1/8.17.1) with ESMTPSA id 2AHMjaEx017019 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 17 Nov 2022 16:45:37 -0600 (CST) (envelope-from rjsparks@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1668725137; bh=iVxVqZ9ssTwYmsbja5574GrYIQxcVDSy4FF0/EQjGyc=; h=Date:Subject:From:To:Cc:References:In-Reply-To; b=AY/XHDqwx6Y4AsCqh6Oi5/7zhfA0KyygO0Y1gcJQJPQIgQOSsRcRFCNixs+peXHJd gP16fXF+N8ubIGp/KCQnX0SaqUD9M4UJ4w9oHwelg+s7Rd85ZF1ccNWRFZYtD8g9d3 b1PBOmPuTjiQLPrrSg2lrmgUpGE8ZremShIrve/c=
X-Authentication-Warning: raven.nostrum.com: Host [47.186.48.51] claimed to be [192.168.1.102]
Message-ID: <193798dd-5a78-a2eb-cdc9-0a90764e2b7b@nostrum.com>
Date: Thu, 17 Nov 2022 16:45:31 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.4.1
Content-Language: en-US
From: Robert Sparks <rjsparks@nostrum.com>
To: gen-art@ietf.org
Cc: draft-ietf-oauth-rar.all@ietf.org, last-call@ietf.org, oauth@ietf.org
References: <166872457082.62668.15876743882764157331@ietfa.amsl.com> <ee3757aa-2ac1-4f5b-b77f-1831ac5781bd@nostrum.com>
In-Reply-To: <ee3757aa-2ac1-4f5b-b77f-1831ac5781bd@nostrum.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/Ir4UG5hATN0GargauNFHkZF4EHI>
Subject: Re: [Last-Call] [Gen-art] Genart last call review of draft-ietf-oauth-rar-15
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2022 22:45:42 -0000

On 11/17/22 4:44 PM, Robert Sparks wrote:
> Apologies - an upload fumble left -00 empty. I've revised it to have 
> content at -01.

Which I'll also paste here for convenience:

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-oauth-rar-14 (<- that was a typo - I really did 
review 15)
Reviewer: Robert Sparks
Review Date: 2022-11-17
IETF LC End Date: 2022-11-17
IESG Telechat date: Not scheduled for a telechat

Summary:

Major issues: Essentially ready for publication as a Proposed Standard 
RFC, but with issues to discuss before publication

I have two major issues that I think need discussion:

Major Issue 1) The document seems to be specifying a new way of 
comparing json names, claiming it is what RFC8259 requires, but I 
disagree that RFC8259 says what this document is claiming. If I'm 
correct, the document is trying to rely on the text in section 7 of 
RFC8259 to support the idea that implementation MUST NOT alter the json 
names (such as applying Unicode normalization) before comparison and 
that the comparison MUST be performed octet-by-octet. Rather, section 7 
says something more like "you better escape and unescape stuff correctly 
if you’re going to do unicode codepoint by codepoint comparison" which 
is a completely different statement.

If I'm right, and this is a new comparison rule that goes beyond what 
JSON itself defines, I think the group should seek extra guidance from 
Unicode experts. If I'm wrong and this behavior is defined somewhere 
else, please provide a better pointer to the definition.

In many environments, its unusual for an implementation relying on a 
stack below it to have any say at all on whether normalization is going 
to be applied to the unicode before the application gets to look. Rather 
than trying to work around the problem you've identified with 
normalization by specifying the comparison algorithm, consider just 
making stronger statements about the strings used in the json names the 
document defines. Why _can't_ you restrict the authorization_details 
values to ascii? If it's because you want to present the string to a 
user, consider putting a presentation string elsewhere in the json that 
is not used for comparison.

Major Issue 2) The suggested pattern demonstrated starting in figure 16 
(using [] to mean "let the user choose") seems underspecified. If the 
point is that different APIs may invent different mechanics _like_ this, 
and that this is only an example. Make it much clearer that this is an 
example. If this is a pattern you expect all APIs to follow, then more 
description is warranted. Is it intended that a user could add and 
remove things arbitrarily to such lists? For instance is it intended 
that this support an interaction where the client is asking for 
permission to operate on account A, and the user can say "no, but you 
can operate on account B"?

Minor issues:

Section 2: What does "The AS MUST ensure that there is no collision 
between different authorization details types that it supports." mean? 
How is this a 2119 requirement? I _think_ you're trying to point out 
that the authorization_details string is a unique-key at any AS and that 
that has consequences on the API _designer_, but I don't know what is 
expected of an AS coder here. Some clearer words are needed.

Section 7: Please expand on, or rephrase, "if these are deemed of no 
intended use for the client." Could you just delete the phrase? If you 
are only explaining why an AS might do this, make it clear that it's an 
example (and split the example into a separate sentence). If this is the 
_only_ reason an AS might omit values in the token Response, then more 
detail is needed.


Nits/editorial comments:

Throughout the document, there is a mix of "authorization_details" and 
"authorization details". It is not completely consistent using one when 
talking about the parameter and the other when talking about the general 
concept of details about authorization. Please inspect each occurrence 
and verify that it is using the correct form.

Introduction: suggest changing 'defines the parameter scope' to 'defines 
the parameter "scope"'

Introduction just after figure 1 - expand AS (first use).

Section 2.2: Please rework the sentence where you mention "the cartesian 
product" and remove the reference - it is not helpful. Instead of "That 
is to say," just say it.

Section 6.1, discussion just after Figure 13. Consider rewriting the 
sentence to avoid the term "non-subsuming". Think about translation into 
other languages.

Section 9.2 intro to Figure 21: something is missing from this sentence. 
The RS: at the end is either not needed or needs more words?

Section 10: Please reconsider the first sentence. Write it in a way that 
doesn't imply the AS has agency (the AS can't "want"), and avoid the 
current "If...then MUST" construction. It would be better to say 
something like "To signal (foo) the AS (does these things)".

Section 10 just before Figure 23: Please clarify what it means for a 
client to announce types that they "use"? Do you mean "support"? Do you 
mean "intend to use in this interaction"? Or something else? Consider 
saying more about why allowing the client to announce these things is 
useful.

Appendix A.1 : expand ACR

Figure 30 caption : typo at eHaelth.


>
> RjS
>
> On 11/17/22 4:36 PM, Robert Sparks via Datatracker wrote:
>> Reviewer: Robert Sparks
>> Review result: Ready with Issues
>>
>> I am the assigned Gen-ART reviewer for this draft. The General Area
>> Review Team (Gen-ART) reviews all IETF documents being processed
>> by the IESG for the IETF Chair.  Please treat these comments just
>> like any other last call comments.
>>
>> For more information, please see the FAQ at
>>
>> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
>>
>> Document: draft-ietf-oauth-rar-??
>> Reviewer: Robert Sparks
>> Review Date: 2022-11-17
>> IETF LC End Date: 2022-11-17
>> IESG Telechat date: Not scheduled for a telechat
>>
>> Summary:
>>
>> Major issues:
>>
>> Minor issues:
>>
>> Nits/editorial comments:
>>
>>
>>
>
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email