[OAUTH-WG] Re: Mike Bishop's No Objection on draft-ietf-oauth-browser-based-apps-24: (with COMMENT)
Mike Bishop <mbishop@evequefou.be> Mon, 02 June 2025 14:48 UTC
Return-Path: <mbishop@evequefou.be>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B75562FBC22E; Mon, 2 Jun 2025 07:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5km_AUbSW9Nu; Mon, 2 Jun 2025 07:48:58 -0700 (PDT)
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam04on2123.outbound.protection.outlook.com [40.107.101.123]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C650C2FBC205; Mon, 2 Jun 2025 07:48:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=BeX5jfDhPWW2TumpPmPzIv3Uv/jt8UtW0YYFSvxvcTCAGEyTqys7c8DdVcH6vWTTAyA6eM15uXS9qpJo7gtWJSM2tB9ua6+Y6Vu9sZDZ7ia9XAxRoVtDBYuafzzEhkSIvhF64wc/4S+k6wLwbNuWW3YBfMY1q4sAiNmkuRjSiOyD4UZjsdieDCHiRyAzxrKAQ50PTOpbvQQEqxlNYE+tOXg+fdhY5/ho1U8DKsRzPJp9ZGbDjKojFvRGmYI2jjN+x9NSqi1CH4r6lTCgtUQWf7bc7lHUOwUqBDZSwRgbWtrdFe9SpHANDopBum3Vf9ntrvVrpJ55dl9DSkgRSS4EUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tdbBoIoXPyFMNWz2xTsYslVUes58bNd3oNwvM1r8AlQ=; b=wtwqef+OsKTOkPgGla8KJlMSKRe1IFcRsxYG6RxXjR6iOVpzduUCyDW465E5dlHS/NcsKM5Q/rI9x3sAMnGHo17mtHJOdSG9nPWt8INim9i/pJx+bMcdKSRy4Stds0XlYICnaAiTUvJ6xuz2jeRA437RZKzzwmxOonFfKRB5klUi1B+gCfJPIP2XQABDP3NxGYrdJeZ/SqDq4ifBtDOsuUd40ehIzqXQntnYef/oIpi4dXasv11iCNDiwpe5IJUVSy0qzfa3HzToY/KecpQocLaNNYm2A7ABR729IDa28yJUYnWq1w8QlX8BSRujm0PiGUtv3dEkuZNG8VALM85UwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=evequefou.be; dmarc=pass action=none header.from=evequefou.be; dkim=pass header.d=evequefou.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector2-evequefou-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tdbBoIoXPyFMNWz2xTsYslVUes58bNd3oNwvM1r8AlQ=; b=v7TA1pVDGDwAUkhks5tXDP/U/qeZnG3rk5whBcbxgbVaLdXLYsST+pTh91aq75KhuV2gKi2sHJoSgYjxsOVCjHLN6M0cJnpk1AIIS8bWECBrAenWinCD0mNG+/PjI5KrBZ76ZY02/OFiyD25BrAJ5j1OnhRENN5gFmosNb5VhlY=
Received: from IA0PPF726CD7A1F.namprd22.prod.outlook.com (2603:10b6:20f:fc04::d2b) by SJ2PR22MB4581.namprd22.prod.outlook.com (2603:10b6:a03:53b::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8792.34; Mon, 2 Jun 2025 14:48:52 +0000
Received: from IA0PPF726CD7A1F.namprd22.prod.outlook.com ([fe80::c552:f531:59c0:7988]) by IA0PPF726CD7A1F.namprd22.prod.outlook.com ([fe80::c552:f531:59c0:7988%5]) with mapi id 15.20.8746.035; Mon, 2 Jun 2025 14:48:51 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Aaron Parecki <aaron@parecki.com>
Thread-Topic: Mike Bishop's No Objection on draft-ietf-oauth-browser-based-apps-24: (with COMMENT)
Thread-Index: AQHbtLpzz5IPfxmVH0OUIcL8bcpCrLPoaweAgAfGYSc=
Date: Mon, 02 Jun 2025 14:48:51 +0000
Message-ID: <IA0PPF726CD7A1FDBE7C2AAD5A9EBBEEB61DA62A@IA0PPF726CD7A1F.namprd22.prod.outlook.com>
References: <174545907709.2490841.13272614002933286637@dt-datatracker-64c5c9b5f9-hz6qg> <CAGBSGjqhizb7qz-P0Ra6QfyVH2jY1oWcXgTWM0TJevGzpDYArw@mail.gmail.com>
In-Reply-To: <CAGBSGjqhizb7qz-P0Ra6QfyVH2jY1oWcXgTWM0TJevGzpDYArw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=evequefou.be;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: IA0PPF726CD7A1F:EE_|SJ2PR22MB4581:EE_
x-ms-office365-filtering-correlation-id: a5d4db8d-dad1-4029-d708-08dda1e49747
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|10070799003|366016|1800799024|376014|38070700018|8096899003|13003099007|7053199007;
x-microsoft-antispam-message-info: +v73iLiBc31woyiiG5T6RjQrL1hbuIOQ4nKr0fiI70Xo2MUcM5RKKczMIasUvA1oCikUoniTTid3bhYwyFV3R2dkRXWm5CLQb7VskC13S0anDp1ifyvSz+MC9foiK0DEGIwHXrmbJAhJJkT0XuAeNvF8963C087U6i8bDlz+0oazxxD/toELdlkm/Mwi4IHIPzj2QDQVIbVtXb3O9THtC3P+AsEZORU/G3EV0/frFivCk7ns+82gUNsekj3B3Vd5Yj1f3sn6YKbSJYRtFbJWq/fCS4RkH2wSgPJkfgUMBp5jvcVdOFCYmtCM91qhKrjIhdMZn0ReQcQ6/I0f9hUm8mV7tYkLgariaE6b9PJvlU1841kSbJdT4S3kn/PsaZb9S8AwnDVmOyTeW8MKnADoCLI/3xKzPzHE4IPhVA2C4bwAfTb05Kh0AOIwHN8a6OeDpnCu9GrQf5PKQMsgzWNDR5RebB2XyDvgpRD2cGOC/3G3a59UrH2/PFGKFa7OYtgB4y99T4kqeqI/cELM2MJ8PQ3dnM1wOZtVDAidqARBpLabTquWt/maZ08Ex/7cwDNIr7LQWiZUxMxA5FPLJSLyVP1Apun+s27d5klCKLI1kC75HPlVgnXdNJ5ynQZKs3MJ9P2+0LFMh4IEJc0CvaHqX5haDx2K+zngMfYTEf3JVk5j0WJJICBJCXBG5J6O/9N0R9rZUjxcYwM5uOHfP4Uq0+8eqx6LZ/6+Od0mcuquGncsWmD+QCUy12geoEc76PAZ2SrRzXruhIqGAqPdxHzx1KKP3fZDu7+NDjDWxTAO1Fi5g3/5qUnx/61REGGXLg+2xws9G+GygfDNZ1ddPuA73aJfSyL1jDZ+VvClyP0kfgRr2QfGcUgM9tXfjCPoUqK9ADjMdtjiuXNbiIR+FpuJ4rhqZT1YRuXKEI/r478hAj3uF9xERbKWWUdOsCcKWwsKdjTwmeRnMr7/lYCjxLv3mTHNSn6PGESpPmh0/hH51UBCq3ZtQNeEFNeN1H5kh7wy6/0R4FPJIAOgA+yl98J8ZhF6uXYDndUgmyfiI6xDdTE+QjhU0VfTa80RrY959lEpkJjZh9iubK3UXwDOpjDjZNStES62CyA9TVNDugtE2y1qDqHMLI4+S3LdN6VuaCKW9N6Jqg81Qb7RtpiQ9UxH6vmTHk5YRcWZ+QBgeY8ypWWzHM0PhdNacVtP6/9lN1WNwKDEay5KzEZDWVOegeEnQCxPXlVRTLDTY6s4hQHkSLPHZUqydlpWDqNOTh6xGQTEGEPr2+GlebeghtrGpG6U8X95p/28T3eHdGvSsO8RT9Pcl2kNoyXRgJV9n/0wxBU0AHjCFqtSpdfKzuCAyhJpF3PY04Vq7eMsSyhyXrOe44oAyjcQ930wi38UGK4H7q5t8xe5exdUM5gGievdXb3YWL4CdsHWGyhBtNR6VjRX0e8=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PPF726CD7A1F.namprd22.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(366016)(1800799024)(376014)(38070700018)(8096899003)(13003099007)(7053199007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: OOfwtXGqijPEJcNQEouUhick3wPX/Ff6akzprdt33x+4JJYogM3EO4bFmyw1U2Qn1z9GWrPaU5XlVKykw11ZjeUPg8o1yPJzTVBByxJmDwf0AkE4l8frj2NRg639HZrnW34DVNee/it9k2Ay8JNe9fNFZhj6hgqusvGcC/X9Yot5x8pBgj0xsV0b2ivHd6dLv/neeKwkYpywcDDQ9OFFPZQWsV/FWXZFfKxGNQjUGlSxSTE+QPl8jz4behVvosR/LAtAlRPQ2Fjr9Yx2khug5SFsSGSFgMB9psLvxYacTMZtu/ZGSMslSVv21G+6MFx+YDHQclDwqTWAlxeKi65bcbLkbfxR3aD/jh8DbVVouGjYQN9JyeZxdkaQXnxLbQW4/Fo01djtLmMIguew2P36H8LB8o6CXJ7HFHplJAWZzlVdGTC04/tdKPOfVBNuW7mPuI4eqJiRnbPA6eYPVqwaWMR3o8OApL6ygIJGb06iTr5Ve5uD/PJjL0DrD7BD9vTr3sQE8cuDUQ4/Pdw9BRNrglk3Ko0y7hKmt1kALloGLViZ6CS70IZi2hwWLPwbUW0dX9uXbeUYP7+jAxt4RlteynxAiasPP1MsCPY6AME2r2EduB7QGXWWydjK7SxLAM33WW2FW/m/fSLzpl1RteaKMUuA7NYVzJ8tUu+HDjEv8zvgT3/YF4DUqlLaHuhnbtgDeGSuz9watPOWtXH2BqCS4F9J0igvq2axhekgpaY6ak8lJ4yoSkH3dz6MKk2cHs7Xw5f09l/eHaEhG+PM6vcgMyK2F+R5JY7FihOfhnnZQC9NzkXv4DHfTTZz710ujx8ZzJ9s4LiwKceK1oKNUIXCFeV9h5ZxNcGBHR81iQ2t7secXM1BvbDcNbDmq5C+Gh4GdvG0pq0BL905sTlc6CsgTSPglox0+tJIQzPEVYQsYy5AM3g5WC/3Iei6ozGX/WG4OiTyO30owCX4YFNfmwYACHpGsys6T8DQ5fcwAze9AQ+H37HlEOVoEiQJmw98DYuQQIF13tMylW+oiqBFqJhAGMnMBD9yyNKVoTtqCt+QYgDxOk4zN0feIEBcaiY+p7H+3WPcTrzlEH3SbewNATGhIg2GZjJSiDobFVLPbUv8ZQrTce3nrHsKWIsYaTt6ZrJvDYJAzlkVAcfSvZYKm5Zejkgfc9kTXlD9g8trODEt3a+tAjXEMhLK6e6nSrX7BTFLC4KpupxrJRruMtjfiVa8fZT7lWkuz8bu4o3akS19HlIotx9c4kh73caimVCStxPaT3gYA0g806P6LKE4CvKMzb1wMUKEJ4q38qBnaqi72jD7lyXFCgaLDqCq8YrwZ9F2/bDv4YLk0cPhspFyPdoTVOQK8T6hY3K9SjnWcc78EUVOhbLoSraXaHVFT4l1FtvMyACqVGR6C6ZQmQLiDD7bdDJpWoVbYWg43+dbTSou2BndMrXg6fDYo+yG/8GIKOJoqVZRL+d4qfRewJbQG9ECrMrWigB0N3R1jXWV2NwwxTY1kr2GPu9MDM9R/Mj7oj+NYhsjqCu8sgPN89Y1MoCuSueW8gI6Gq88jenhX1qyajUQ7QNsTrJFtUtjemIvwHZI9xkhV7Z0LwJmKvRwuO0lLnZ/hb/zu/fx41bdwHRMkoW93dLjzfXOdRP9Vg4QN+rn
Content-Type: multipart/alternative; boundary="_000_IA0PPF726CD7A1FDBE7C2AAD5A9EBBEEB61DA62AIA0PPF726CD7A1F_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: IA0PPF726CD7A1F.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a5d4db8d-dad1-4029-d708-08dda1e49747
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2025 14:48:51.9125 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IFl+5/B5DMHqWl+WvEfANwXkxv1DzAREGj6rtPPh776S6UCVfVxGqb0c8HvNWDsp95MfKYFkx1G8I5X30jIwzg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR22MB4581
Message-ID-Hash: VAUFHB2CZAKFOD6MA556GA6GNX7VCAG4
X-Message-ID-Hash: VAUFHB2CZAKFOD6MA556GA6GNX7VCAG4
X-MailFrom: mbishop@evequefou.be
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-oauth-browser-based-apps@ietf.org" <draft-ietf-oauth-browser-based-apps@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Mike Bishop's No Objection on draft-ietf-oauth-browser-based-apps-24: (with COMMENT)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3bjOQ773aR1VyqRPCkQGaclzb9E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Looks good — thank you! ________________________________ From: Aaron Parecki <aaron@parecki.com> Sent: Wednesday, May 28, 2025 12:04 PM To: Mike Bishop <mbishop@evequefou.be> Cc: The IESG <iesg@ietf.org>; draft-ietf-oauth-browser-based-apps@ietf.org <draft-ietf-oauth-browser-based-apps@ietf.org>; oauth-chairs@ietf.org <oauth-chairs@ietf.org>; oauth@ietf.org <oauth@ietf.org>; rifaat.s.ietf@gmail.com <rifaat.s.ietf@gmail.com> Subject: Re: Mike Bishop's No Objection on draft-ietf-oauth-browser-based-apps-24: (with COMMENT) Thanks for your review Mike! Answers inline: On Wed, Apr 23, 2025 at 6:44 PM Mike Bishop via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote: ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for a solid and well-written document. Definitely a pleasure to read such a thorough analysis. The document states, "Given the popularity of this scenario, this document uses the term "JavaScript" to refer to all mechanisms that allow code to execute in the application's runtime in the browser. The recommendations and considerations in this document are not exclusively linked to the JavaScript language or its runtime, but also apply to other languages and runtime environments in the browser." I understand the temptation because of how we often speak about browser code, but that seems like a recipe for confusion -- how about not doing that? Use JavaScript when you actually mean JavaScript itself, and use "browser-based apps" when you're more general (which is most of the time). Please also be consistent in your usage of JavaScript versus JS. We can afford the extra characters unless you're referring to the standard file extension. I've done a thorough update to the language to be consistent with the terminology here. All references should now say "browser-based application" when referring to the general case, and "JavaScript" only when talking about specific JavaScript APIs. Nit: - Why is "The first part (Section 5.1)" not simply "Section 5.1"? Same with second/5.2. Thanks, fixed. These changes are not yet posted to datatracker but you can see them on the GitHub diffs: * https://github.com/oauth-wg/oauth-browser-based-apps/commit/f33b5f02b67de0aea697f4a45a5970e7df7d4b8f * https://github.com/oauth-wg/oauth-browser-based-apps/commit/7d72df77b94b62a6a8141ffb4e6ae32fb6745dfd The preview build of the doc is here: https://drafts.oauth.net/oauth-browser-based-apps/draft-ietf-oauth-browser-based-apps.html Thanks! Aaron
- [OAUTH-WG] Mike Bishop's No Objection on draft-ie… Mike Bishop via Datatracker
- [OAUTH-WG] Re: Mike Bishop's No Objection on draf… Aaron Parecki
- [OAUTH-WG] Re: Mike Bishop's No Objection on draf… Mike Bishop