Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-device-flow-13: (with COMMENT)
William Denniss <wdenniss@google.com> Tue, 15 January 2019 21:48 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F1FA130F19 for <oauth@ietfa.amsl.com>; Tue, 15 Jan 2019 13:48:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.642
X-Spam-Level:
X-Spam-Status: No, score=-17.642 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pfl3dgtV0zw7 for <oauth@ietfa.amsl.com>; Tue, 15 Jan 2019 13:48:36 -0800 (PST)
Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85F47130F18 for <oauth@ietf.org>; Tue, 15 Jan 2019 13:48:33 -0800 (PST)
Received: by mail-it1-x132.google.com with SMTP id g85so7597475ita.3 for <oauth@ietf.org>; Tue, 15 Jan 2019 13:48:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=11Sr8r3ubSwkY6E0Rrn4Nsdsrj3M9aiVp2VyD1fj/ts=; b=TT1kMjrghkgiIQo8Oek4Uoj2pCY6OHzCEzDY1V/8echS8UeOyLeq1BFhR5vvdZZJPp i4JYRkB5fDAGkRhG9inHQYBixKkt+QvCXxv5DVPFcmtuft8daoIDHJdlWKwXgk4Q27n3 Q+TifGdB+e3l9bhoByNSvRKL2Ui/E5Miu0V4NUTdjsupAdmXvQFYdzyuRvA3u6zuHBoi J6TDBYEcA4ux5zz+NLpNhPR+orX8jYyF0qZLI7lE4nIPUboFzPbFbtwN3po8yjO9qFtz flxf9N0HxTitmNaF/xLdS7gr7x3ajgho/B9WxZQAo33Ioohu/GJVYZClpBnaY1Wh4VHp 3ZZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=11Sr8r3ubSwkY6E0Rrn4Nsdsrj3M9aiVp2VyD1fj/ts=; b=KR78wKOXTb+Nl0YRWklKDIULYLl0Ca6gsne0UVVWILnyr86BAhl/02FXgcqbsyX8Nv AJU4fc4z+QG75xdj1FiNiYUSbTxwXnmQ19XMvp0xvVqHxbkcgERFNt3x+qyhrjj+yhz9 ZoQpcMxTDVxLNAdhBdEZ+YfVeZtUtZCMnFJVz9tciKLnHw/Hedf4Mf9hZUJmNHujQN53 aAJrgipIVWf9nWJw5z3L533RylmAwkq28HYUerFvHU7k+d7PP/4K7uqwLer6kP0eg+MB obGx4EorngRxfgNRe4eZtG97LIlBV5KSq18OsXme1Q1xOUSNChWqpzH0IwNf2WWe4WJM U+mw==
X-Gm-Message-State: AJcUukdfo7jT7widftCzVHIZFqC2xMse6+zWaxthefKXH6534kQ6Vc3r DLs8cQ4Fd55mR81NdQOkZZG3OGmobZShA0JvO13P4A==
X-Google-Smtp-Source: ALg8bN72Bci/sCRtKW2yfqpLCmBB4rjYDCGwasGAtemkpl2gE2rkjucuqe+zEcpuD7mey/9vGU5hNO7rNiE19aYI9TM=
X-Received: by 2002:a02:1217:: with SMTP id i23mr3522771jad.53.1547588912514; Tue, 15 Jan 2019 13:48:32 -0800 (PST)
MIME-Version: 1.0
References: <154068186141.5657.5708171860868071302.idtracker@ietfa.amsl.com>
In-Reply-To: <154068186141.5657.5708171860868071302.idtracker@ietfa.amsl.com>
From: William Denniss <wdenniss@google.com>
Date: Tue, 15 Jan 2019 13:48:21 -0800
Message-ID: <CAAP42hA_eBfsT=qir1Oa1ohB6UuUAJh+JhS6kNbgAYNtA1wOhA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow@ietf.org, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth-chairs@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000642050057f861fb0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3csJ0h5VRhIBDwSRSpmRjHwsaIs>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-device-flow-13: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2019 21:48:38 -0000
On Sat, Oct 27, 2018 at 4:11 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > Benjamin Kaduk has entered the following ballot position for > draft-ietf-oauth-device-flow-13: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for addressing my Discuss points. I would still prefer to see a > normative requirement for explicit user approval (as opposed to just the > descriptive statement that the chance to approve/deny should be offered), > but I can understand the sentiment that such a requirement on the UI is > not a matter for interoperability and could not be reliably enforced > anyway. > Thank you again for your review. The UI requirements not being a matter for interoperability is indeed why there is no normative text for that, and we're following the approach taken by other IETF OAuth specifications which also leave this up to the implementors. I understand your concerns here, but I hope that the current non-normative guidance is enough. > > Original COMMENT section preserved below. > > Please use the RFC 8174 boilerplate instead of the RFC 2119 one. > > Section 3.2 > > The example expires in 30 minutes? That seems longer than needed; wouldn't > 5 minutes do? > > Section 3.3 > > I agree with directorate reviewer that the MUST NOT requirement for > displaying the device_code should justify that requirement by discussing > the consequences of exposure. > > Section 3.5 > > authorization_pending > The authorization request is still pending as the end-user hasn't > yet completed the user interaction steps (Section 3.3). The > client should repeat the Access Token Request to the token > endpoint. > > I feel like we want to mention the 'interval' here or some other discussion > of an inter-request delay. > > Also, please clarify "reasonable default polling interval", per multiple > directorate reviews. > > Section 5.2 > > Please clarify the entities involved in "the backchannel flow" that can be > MITM'd. > > Section 5.6 > > The "short-range" part of a "short-range wireless signal" partially depends > on how big the receiver's antenna is. So perhaps we should be careful > about indicating that this has more security value than it does. > > Section 6.1 > > I'm not sure I understand the usage of "case-insensitive", here -- how > would the user have an expectation of case-insensitivity? Perhaps it is > better to just say "majuscule" or "upper case" or whatever. > > >
- [OAUTH-WG] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk
- Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… William Denniss