Re: [OAUTH-WG] Genart last call review of draft-ietf-oauth-device-flow-10
Robert Sparks <rjsparks@nostrum.com> Thu, 02 August 2018 00:55 UTC
Return-Path: <rjsparks@nostrum.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7866B130E3F; Wed, 1 Aug 2018 17:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itGe7XpA6voz; Wed, 1 Aug 2018 17:55:51 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C9CF128CF3; Wed, 1 Aug 2018 17:55:51 -0700 (PDT)
Received: from unescapeable.local ([47.186.17.148]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w720tjUx065498 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 1 Aug 2018 19:55:46 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host [47.186.17.148] claimed to be unescapeable.local
To: William Denniss <wdenniss@google.com>
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-oauth-device-flow.all@ietf.org, ietf@ietf.org, oauth <oauth@ietf.org>
References: <152873404689.2672.12557627140070509936@ietfa.amsl.com> <CAAP42hBorW5013fq83xwzQuX78eePswxHr-JTZcFSaTDWjba1w@mail.gmail.com>
From: Robert Sparks <rjsparks@nostrum.com>
Message-ID: <10738b94-395f-4493-c0af-dd11b75e14e7@nostrum.com>
Date: Wed, 01 Aug 2018 19:55:45 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAAP42hBorW5013fq83xwzQuX78eePswxHr-JTZcFSaTDWjba1w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------AA252D1A081931BC8443AEDE"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4JO23dvieDHOjDP5HggUGTMYzGY>
Subject: Re: [OAUTH-WG] Genart last call review of draft-ietf-oauth-device-flow-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2018 00:55:54 -0000
Answering your question inline: On 8/1/18 6:55 PM, William Denniss wrote: > Robert, > > Thank you for your valuable feedback. Version 12 incorporates your > feedback. Replies inline: > > On Mon, Jun 11, 2018 at 9:20 AM, Robert Sparks <rjsparks@nostrum.com > <mailto:rjsparks@nostrum.com>> wrote: > > Reviewer: Robert Sparks > Review result: Ready with Nits > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>>. > > Document: draft-ietf-oauth-device-flow-10 > Reviewer: Robert Sparks > Review Date: 2018-06-11 > IETF LC End Date: 2018-06-12 > IESG Telechat date: Not scheduled for a telechat > > Summary: Ready for publication as a Proposed Standard RFC, but > with nits to > consider > > Nits/editorial comments: > > In 3.5 "the client MUST use a reasonable default polling interval" > is not > testable. Who determines "reasonable"? At the very least, you > should add some > text about how to determine what "reasonable" is for a given > device, and add > some text that says don't poll faster than earlier responses > limited you to. > For example, if the response at step B in the introductory diagram > had an > explicit interval of 15, but a slow-down response to an E message > didn't have > an explicit interval, you don't want them to default to, say 5 > seconds (because > that's what the example in section 3.2 said, so it must be > reasonable). > > > Thanks for the feedback, version 12 specifies a default of 5s. > > In 3.3, you say the device_code MUST NOT be displayed or > communicated. Is there > a security property that's lost if there is? Or is this just > saying "Don't > waste space or the user's time"? > > > It's just a waste of the user's time. This text has been modified. > > > The last paragraph of section 6.1 feels like a recipe for false > positives, and > for bug-entrenched code. Please reconsider it. > > > I've reworded it a bit, but it's actually an important usability > consideration so I do want to keep it in some form. > > You need line-folding in the example in section 3.2 > > > Can you clarify what you mean by this? There was a line in a previous version (I thought I saw it in -10, but right now I only see it in -09) that was too long to be published as-is in an RFC. It looks like it's fixed in -12. > > Best, > William
- [OAUTH-WG] Genart last call review of draft-ietf-… Robert Sparks
- Re: [OAUTH-WG] [Gen-art] Genart last call review … Robert Sparks
- Re: [OAUTH-WG] [Gen-art] Genart last call review … Alissa Cooper
- Re: [OAUTH-WG] [Gen-art] Genart last call review … William Denniss
- Re: [OAUTH-WG] Genart last call review of draft-i… William Denniss
- Re: [OAUTH-WG] Genart last call review of draft-i… Robert Sparks