[OAUTH-WG] My earlier comments on the dyn client reg draft

Eve Maler <eve@xmlgrrl.com> Tue, 04 December 2012 19:49 UTC

Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B085121F8CC1 for <oauth@ietfa.amsl.com>; Tue, 4 Dec 2012 11:49:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.293
X-Spam-Level:
X-Spam-Status: No, score=-1.293 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZmWhbAxRm3X3 for <oauth@ietfa.amsl.com>; Tue, 4 Dec 2012 11:49:31 -0800 (PST)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id BF2B221F8CAC for <oauth@ietf.org>; Tue, 4 Dec 2012 11:49:31 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by greendome.promanage-inc.com (Postfix) with ESMTP id 36C9539FE9D; Tue, 4 Dec 2012 09:25:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from greendome.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvtLjyaa12QO; Tue, 4 Dec 2012 09:25:47 -0800 (PST)
Received: from [192.168.168.107] (unknown [192.168.168.107]) by greendome.promanage-inc.com (Postfix) with ESMTPSA id 00AD639FE90; Tue, 4 Dec 2012 09:25:46 -0800 (PST)
From: Eve Maler <eve@xmlgrrl.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 04 Dec 2012 09:25:46 -0800
To: "oauth@ietf.org WG" <oauth@ietf.org>
Message-Id: <CA2291AB-BD16-4138-95A9-30AF10CA6A16@xmlgrrl.com>
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
X-Mailer: Apple Mail (2.1499)
Subject: [OAUTH-WG] My earlier comments on the dyn client reg draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2012 19:49:32 -0000

Hannes suggested that, for transparency, I should share with the list the comments that I had earlier sent to Justin. Here they are. I believe these have all been addressed in one way or another by now.

	Eve

====

General

- Authorship: I suspect that Christian Scholz really won't mind if you move him to the acknowledgments. He actually had not that much to do with the original UMA-based draft, but was our official spec editor of the group at the time. (I wrote the bulk of the requirements, and Maciej wrote the bulk of the request/response stuff.)

1. Introduction

- Para 2: s/meta information/metadata/ to match other references.

2.1. Client Association Request

- Could you make it a bit clearer that the parameters you list are actually defined in Section 3? I found this confusing at first.

2.2. Client Association Response (and following)

- Is it worthwhile defining a media type application/json+something for the various JSON-encoded responses defined in the doc? I'm not sure if the OAuth spec has been going to this trouble. The UMA spec does -- which means that eventually we'll have to submit to IANA for registering those types...

- client_secret:
 s/us used/is used/
 s/not required/OPTIONAL/ ?

- registration_access_token: Is there any reason not to call this simple "access_token"?

2.3. Client Update Request

- Para 1: Why is the empty-value interpretation a SHOULD rather than a MUST? It would seem that we'd want interoperability in how to replace/wipe metadata.

2.4. Client Update Response (and following)

- For client_id in responses, does it make sense to say something like "A unique Client Identifier matching the one in the request"?

2.5. Rotate Secret Request

- Having it be an error if the client never originally had a secret, and the question about rotating the access token, makes me think that we should keep things as simple as possible, and make this operation be something like "client_refresh", which always refreshes the access token and -- if it was issued a secret -- the secret as well? There's sort of a recursiveness to managing meta-secrets used to issue client identities, and the last thing we want is to embed a full-blown OAuth mechanism that makes it token turtles all the way down...

2.7. Client Registration Error Response

- Trying to think of additional error conditions: invalid ID? Invalid token? These don't seem covered by the existing options. Of course, it's possible this detail shouldn't be exposed in the error response for security reasons.

3. Client Metadata

- In "token_endpoint_auth_method": Is "unspecified or omitted" redundant? What's the difference?

5. Security Considerations

- I assume that, eventually, the RP/IdP language from the OpenID Connect draft will need to be genericized.

Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl