Re: [Last-Call] [Gen-art] Genart last call review of draft-ietf-oauth-rar-15
Brian Campbell <bcampbell@pingidentity.com> Wed, 30 November 2022 23:54 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46A1BC09F949 for <last-call@ietfa.amsl.com>; Wed, 30 Nov 2022 15:54:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWTu-PbqI9w4 for <last-call@ietfa.amsl.com>; Wed, 30 Nov 2022 15:53:57 -0800 (PST)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19A8AC09F940 for <last-call@ietf.org>; Wed, 30 Nov 2022 15:53:57 -0800 (PST)
Received: by mail-yb1-xb36.google.com with SMTP id 189so22996674ybe.8 for <last-call@ietf.org>; Wed, 30 Nov 2022 15:53:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Cs1EzDrGyy5vuyGzeFW99+hjB3gaSY4pOsurWV6pjjQ=; b=RgBQZ0yvLAZCaDbxjj9z9ScGANtLaRafWkjIqtzdAZeEU53IuWFkA0qgQnujBjkzqG qoOAvVfoUXY9Y1/RV0S9xD9uP+mESfmF5KiTgqfnfd5CW6LOwmzyR3Ajcl3AFBVFpAEU mjZunTwWj7wrzdjePlVOsdbqMqOjbODoL7M40t7ImNLiOtvOFbJCIzmpHVs9MSz5+4VF VKUvMyaFaqp1+jDkY818aTMbwzSna+5AwgsA7+T5llGHtOx7qDB7cjYQ/AhB9OQXsXtO S16kD2VXgf4tjcY/71qqj/6f148+zy0ppaGaq/Fhcme1mElvQofkI0juG5KcPLw8dDUJ eT+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Cs1EzDrGyy5vuyGzeFW99+hjB3gaSY4pOsurWV6pjjQ=; b=TcbbS6DXCcuOJgNoWU9jNdrt9cXIhDCscWjzenUQoQIybc3zWOr3Lh5y/nW+xD66xv ZWXShyZZvV+JoAu7iPhNwyU0/XgNpP1RURKM7bt3cgK7QatAJQLLjyKWL51aIjMA8/so Mj02AtZy24tXcC+OhLU9HS+HHBPuIHw3CfkOTTCiaHugBo4FqOpSdcv8nU5cavcJKivJ NVYRaj31i/p7WXVxc6PV3drFBnaNUT97Q7EOh25XrsgUO0WU0aE0yLYkf/CK+KIeUGOR LKoz8eTrH3e//7sUWHjv2qy8docl0SpOSttKGqYCgHvxABIh2l3pbfS2TlEQLvYDoz20 906Q==
X-Gm-Message-State: ANoB5pkRZY1c4ksZbZ94u7d/oNfUh1qoqXqV5/wwD7c49djw8M1cxVPk SZ58x2DINlSmQ5nLhFX8jHx3VbzqUVDolnW05ZqrMzLaGoy6TDOBLRkZqmiQhyHn1FX8Bq3UGHE uux1typVr02nMMLvF33Q=
X-Google-Smtp-Source: AA0mqf6kbsRlfWqwL1Jt0rY4yxEpURtdHwh+IsTr0DpojiJipYy/oob8w/UHLOHWFYJmk9rpKKQV460V3uUXdJG6r9k=
X-Received: by 2002:a25:aaeb:0:b0:6f0:7be4:dc53 with SMTP id t98-20020a25aaeb000000b006f07be4dc53mr37085826ybi.256.1669852436049; Wed, 30 Nov 2022 15:53:56 -0800 (PST)
MIME-Version: 1.0
References: <166872457082.62668.15876743882764157331@ietfa.amsl.com> <ee3757aa-2ac1-4f5b-b77f-1831ac5781bd@nostrum.com> <193798dd-5a78-a2eb-cdc9-0a90764e2b7b@nostrum.com> <CA+k3eCTX66JJti8sVmKOC=oM242T72+U4bk1D4fTqphRy74qSg@mail.gmail.com> <fba1f40b-ad75-6008-bd0c-195d719dfde1@nostrum.com>
In-Reply-To: <fba1f40b-ad75-6008-bd0c-195d719dfde1@nostrum.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 30 Nov 2022 16:53:00 -0700
Message-ID: <CA+k3eCSzk6Nx4j6GMiFjjSRWy2cKVwmj4UP1miNmkhDcc4cRQQ@mail.gmail.com>
To: Robert Sparks <rjsparks@nostrum.com>
Cc: gen-art@ietf.org, draft-ietf-oauth-rar.all@ietf.org, last-call@ietf.org, oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000047894805eeb8d10d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/JnqKdzdGWgqAzCv21mCtWr-kq74>
Subject: Re: [Last-Call] [Gen-art] Genart last call review of draft-ietf-oauth-rar-15
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 23:54:01 -0000
On Wed, Nov 30, 2022 at 4:08 PM Robert Sparks <rjsparks@nostrum.com> wrote: > > On 11/30/22 2:39 PM, Brian Campbell wrote: > > Thank you for the review Robert. And apologies for the very delayed > response. I think we had a bit of a volunteer's dilemma > <https://en.wikipedia.org/wiki/Volunteer%27s_dilemma> amongst the > editors, which was exacerbated by some timing issues including vacation and > subpar communication amongst us. We'll get all the nits/editorial comments > addressed. Also the minor issues. Actually, changes for those are already > in a branch of the document source repository > https://github.com/oauthstuff/draft-oauth-rar/tree/genart-review and > should be in the -17 revision. Some discussion on the majors is inline > below. > > > On Thu, Nov 17, 2022 at 3:45 PM Robert Sparks <rjsparks@nostrum.com> > wrote: > <snip> > >> I have two major issues that I think need discussion: >> >> Major Issue 1) The document seems to be specifying a new way of >> comparing json names, claiming it is what RFC8259 requires, but I >> disagree that RFC8259 says what this document is claiming. If I'm >> correct, the document is trying to rely on the text in section 7 of >> RFC8259 to support the idea that implementation MUST NOT alter the json >> names (such as applying Unicode normalization) before comparison and >> that the comparison MUST be performed octet-by-octet. Rather, section 7 >> says something more like "you better escape and unescape stuff correctly >> if you’re going to do unicode codepoint by codepoint comparison" which >> is a completely different statement. >> >> If I'm right, and this is a new comparison rule that goes beyond what >> JSON itself defines, I think the group should seek extra guidance from >> Unicode experts. If I'm wrong and this behavior is defined somewhere >> else, please provide a better pointer to the definition. >> >> In many environments, its unusual for an implementation relying on a >> stack below it to have any say at all on whether normalization is going >> to be applied to the unicode before the application gets to look. Rather >> than trying to work around the problem you've identified with >> normalization by specifying the comparison algorithm, consider just >> making stronger statements about the strings used in the json names the >> document defines. Why _can't_ you restrict the authorization_details >> values to ascii? If it's because you want to present the string to a >> user, consider putting a presentation string elsewhere in the json that >> is not used for comparison. >> > > To the best of my understanding, it's not trying to specify a new or > different way of comparing JSON names or values. I think it's only trying > to say that the application must not do any *additional* normalization of > the string values that it gets from the JSON stack or any other extra > processing for the sake of comparison. I think anyway. > > Honestly, I didn't really (and still don't) understand the concerns that > some of the WG had that led to the text in question. So I didn't pay close > attention to it while thinking to myself there can't be harm in saying to > do a byte-by-byte comparison with no additional processing. But here we > are... > > Does that halfhearted explanation alleviate your concerns at all? Or, with > that explanation in mind, are there specific changes to the text (in sec > 12 > <https://www.ietf.org/archive/id/draft-ietf-oauth-rar-15.html#section-12> > and sec 2 > <https://www.ietf.org/archive/id/draft-ietf-oauth-rar-15.html#section-2>, > I think) that would alleviate your concerns? Or do we need to consider just > deleting those parts? > > I did track down this issue about it > https://github.com/oauthstuff/draft-oauth-rar/issues/28 for maybe added > context. > > Thanks for that pointer. If that's the extent, then I really think the > group should walk this back just a little and answer why restricting these > names to (a subset of) ascii is an unacceptable thing to do. The > conversation there reinforces my guess that these aren't meant for display > to users, so why take on the additional complexity? Make it easy for > implementors to get it right with much less effort. > Yes, that guess is correct that type value is not meant for display to users (the issue is about type value). I can't confidently say the same about names and values that any particular type will define. I don't think it matters though. It's not that restricting is unacceptable but that it's not necessary. Just using the values that come from the JSON layer is enough. And I'd contend there's not really additional complexity. It just appears like additional complexity because of the unnecessary and maybe less than idea wording in the draft. Wording that I'd be more than happy to try and fix up or just remove. > > Major Issue 2) The suggested pattern demonstrated starting in figure 16 >> (using [] to mean "let the user choose") seems underspecified. If the >> point is that different APIs may invent different mechanics _like_ this, >> and that this is only an example. Make it much clearer that this is an >> example. If this is a pattern you expect all APIs to follow, then more >> description is warranted. Is it intended that a user could add and >> remove things arbitrarily to such lists? For instance is it intended >> that this support an interaction where the client is asking for >> permission to operate on account A, and the user can say "no, but you >> can operate on account B"? >> > > It is really intended to be saying that different APIs may invent > different mechanics _like_ this, if needed. And the []'s are just one way > that an API might define some of how to do it. > > I've tried to make this more clear with these edits: > https://github.com/oauthstuff/draft-oauth-rar/commit/ee70e000557a69afe133356847c5083882686811 > > This works for me. Consider adding something like "This mechanic is > illustrative only and is not intended to suggest a preference for designing > the specifics of any authorization details type this way." > Sure, I'll add that. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [Last-Call] Genart last call review of draft-ietf… Robert Sparks via Datatracker
- Re: [Last-Call] Genart last call review of draft-… Robert Sparks
- Re: [Last-Call] [Gen-art] Genart last call review… Robert Sparks
- Re: [Last-Call] [Gen-art] Genart last call review… Brian Campbell
- Re: [Last-Call] [Gen-art] Genart last call review… Robert Sparks
- Re: [Last-Call] [Gen-art] Genart last call review… Brian Campbell
- Re: [Last-Call] [Gen-art] Genart last call review… Robert Sparks
- Re: [Last-Call] [Gen-art] Genart last call review… Brian Campbell
- Re: [Last-Call] [OAUTH-WG] [Gen-art] Genart last … Justin Richer
- Re: [Last-Call] [OAUTH-WG] [Gen-art] Genart last … Brian Campbell
- Re: [Last-Call] [Gen-art] Genart last call review… Lars Eggert