[OAUTH-WG] AD Review: draft-ietf-oauth-discovery-06
Eric Rescorla <ekr@rtfm.com> Sun, 03 September 2017 22:27 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EE3E126B71 for <oauth@ietfa.amsl.com>; Sun, 3 Sep 2017 15:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Np8xeyNauvE4 for <oauth@ietfa.amsl.com>; Sun, 3 Sep 2017 15:27:10 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B965124205 for <oauth@ietf.org>; Sun, 3 Sep 2017 15:27:10 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id t188so18575271ywb.1 for <oauth@ietf.org>; Sun, 03 Sep 2017 15:27:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=VPVLBcSgUS9XBdiF8FqBfEDqhulw0xsit1qpCa6LO1U=; b=q776IfN+ZpioTTzkllFbVt2kGiJOSq3JVWD7In/cYKcN9kaGHh75j0kTCm7j83hC42 Ev8Ev2vzJ/84PPv1TFmbEoCrMEBXy1QOQqmamtntaz6dncNUFM25s9icFuGXI8//Y+EZ AXzyrQM+Y0yeMcnyMlGLCBiDi3A//R27+jZP1v5RHy0PCCfcYZgC7h12YjsSbUn/RX7h q3ah/6JqEhcLUadDhvoKwS2ue3q8rrsdeOA5cV9fg2wGTTyWxEcgQo4zeC8eCiSavdx7 1NZNuczFKDPtXi7S3Sq132engejmGJtYw5fvTXtm+JmtDq/B8xUPrPtkNmbiLDoVDUJq +jjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=VPVLBcSgUS9XBdiF8FqBfEDqhulw0xsit1qpCa6LO1U=; b=SbuBIEbmdMlxkHUpJZfHx7UiGBYTqnOaD3lpeUuWzh1xOJnDQoTbcq7wm6hR9lcC9r 2YiZb90ezLO63Pp1M6GhIxpcEFfiZ11O7bKF9I4i4zC+qU9sruJBUt0OGMJ5vSEXCO/M H13dL9YT+oqdUjTYob3Or97X9hxx43pgbxaqAtOFN02FT3bKYdNRyyesGev3BioyHJTK On1G9DHs4aDgZJCm8+n1JSm6f5N+jSmkcetmFoAVeYSfc6g2VLRprjDNEOUnBfpQJDgJ VI6M2HK5CMjbo3CBYeH0xXTFiO2esGZaSAnpNlpM/3S6HWDYkgZ42jCpY9tjZkOfX7mH 0gmg==
X-Gm-Message-State: AHPjjUjd6m09iXHXt6QeqsyDDTUC7nrkAKpk1lwF8qQiaGXCpe62tZZs VcmL2WQmffMLM5WjUkFDPwNlzZ0XQa+6LKi/tA==
X-Google-Smtp-Source: ADKCNb7TA+bf4p6BR4U44EkXCYMI7Lbc/HeUCMptZ4iKAAZW+0l3xTeC13Bj4RCXLLpmMJmV6cB3wD5XBB8sL/oBr3Y=
X-Received: by 10.129.137.199 with SMTP id z190mr8164338ywf.72.1504477629111; Sun, 03 Sep 2017 15:27:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.218.130 with HTTP; Sun, 3 Sep 2017 15:26:28 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 03 Sep 2017 15:26:28 -0700
Message-ID: <CABcZeBP8G0L8+X0ddvEHng=R+eahG+KsKG9b2_BA7Si1Cd4MJQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c064548a7fbc20558507ec7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4D2WpE114jirJPDpMcHYcs_zysY>
Subject: [OAUTH-WG] AD Review: draft-ietf-oauth-discovery-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Sep 2017 22:27:12 -0000
Hi folks, Note: the original of this review is on Phabricator at: https://mozphab-ietf.devsvcdev.mozaws.net/D7 If you want to see comments in context, you can go there. Also, you can create an account and respond inline if you like. If you elect to, let me know if you run into problems. -Ekr I have marked a number of places where it seems like you either need defaults or need to indicate what the semantics are if missing This metadata can either be communicated in a self-asserted fashion or as a set of signed metadata values represented as claims in a JSON I assume "self-asserted" in this case means "asserted by the server origin via HTTPS" Line 222 authentication methods. Servers SHOULD support "RS256". The value "none" MUST NOT be used. What's the default if omitted? Line 235 represented as a JSON array of BCP47 [RFC5646] language tag values. What's the default if omitted? Line 267 "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters]. What's the default if omitted? Line 275 "client_secret_jwt" authentication methods. The value "none" MUST NOT be used. What's the default if omitted? Line 288 Access Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) What's the default if omitted? Line 296 "client_secret_jwt" authentication methods. The value "none" MUST NOT be used. What's the default if omitted? Line 304 challenge method values are those registered in the IANA "PKCE Code Challenge Methods" registry [IANA.OAuth.Parameters]. What's the default if omitted? Line 343 MUST be registered in the IANA "Well-Known URIs" registry [IANA.well-known]. IMPORTANT: Shouldn't this be required to be HTTPS Line 500 client MUST perform a TLS/SSL server certificate check, per RFC 6125 [RFC6125]. Implementation security considerations can be found in Recommendations for Secure Use of TLS and DTLS [BCP195]. Hmm.... I'm unsure about whether this should be a citation to 2818. Is the general feeling that 6125 superceded 2818? Line 564 The following registration procedure is used for the registry established by this specification. This section seems like it needs RFC2119 language Line 568 Values are registered on a Specification Required [RFC5226] basis after a two-week review period on the oauth-ext-review@ietf.org mailing list, on the advice of one or more Designated Experts. What happens if you don't do anything within two weeks. Line 756 o Change Controller: IESG o Specification Document(s): Section 2 of [[ this specification ]] Extra whitespace.
- [OAUTH-WG] AD Review: draft-ietf-oauth-discovery-… Eric Rescorla
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discov… Mike Jones
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discov… Mike Jones
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discov… Mike Jones
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discov… Eric Rescorla