IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06

Justin Richer <jricher@mitre.org> Fri, 12 April 2013 21:03 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C667221F8DDF for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2013 14:03:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPR-lClW6VuQ for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2013 14:03:32 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5AA2221F8DD1 for <oauth@ietf.org>; Fri, 12 Apr 2013 14:03:25 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id DB9261F0ACE; Fri, 12 Apr 2013 17:03:24 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id AC71C1F0AC9; Fri, 12 Apr 2013 17:03:24 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Fri, 12 Apr 2013 17:03:24 -0400
Message-ID: <51687697.3060602@mitre.org>
Date: Fri, 12 Apr 2013 17:03:19 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <51644F9A.9040402@cs.tcd.ie> <51687451.3020307@cs.tcd.ie>
In-Reply-To: <51687451.3020307@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2013 21:03:33 -0000

Hi Stephen,

I didn't respond as I didn't have anything to add to your comments, but 
what little details I have are inline.


On 04/12/2013 04:53 PM, Stephen Farrell wrote:
> Hi,
>
> I'm surprised there've been no responses. I thought
> there was more interest in this one.
>
> Ta,
> S.
>
> On 04/09/2013 06:27 PM, Stephen Farrell wrote:
>> Hi,
>>
>> I've done my AD review of this draft. I have two quick questions
>> I'd like to get answered before I start IETF LC. Depending on the
>> answers maybe we should re-spin or just fire ahead, let's see...
>>
>> (1) 2.1: "upon the return of the request" isn't right is it?  I
>> think you mean the response at least. And what about HTTP error
>> handling? What if I get a 503 error? Is the client supposed
>> to re-send ever? Don't you need to say?
Should this read "upon receipt of an HTTP 200 response from the server" 
instead? If there's a 503, the client can't assume the token is gone, 
but it also probably shouldn't try spamming the endpoint, either.

>>
>> (2) 2.2: what's in the response body with a 200 response?  If it
>> doesn't matter please say so.
Doesn't matter. All information is conveyed in the response code.

>>
>> I see from the write-up one author hasn't confirmed there are
>> no IPR issues. I've sent a Marius a mail so hopefully we
>> can sort that as we go.
>>
>> I also have the following nits that can be fixed (if need
>> be) whenever the draft is next changed:
>>
>> - intro: "app" isn't really a great term to use, can you replace
>> with something from 6479.
"app" was chosen because the application to use here could be either the 
Client or the Resource Server in RFC6749, so neither is really the right 
fit. It's whoever's revoking the token.

>>
>> - section 2: the "MAY include a query component" is sort of
>> dangling there, maybe it'd be better moved elsewhere?
Don't see where else this could fit. Basically we're saying the endpoint 
URL can be defined as "/endpoint?type=revoke" just as easily as "/revoke".
>>
>> - section 2: "MUST be obtained from a trustworthy source." might
>> generate comment from IESG members who don't like using 2119
>> terms in ways that don't affect interoperability. (I'm fine with
>> it fwiw, and have nearly cured 'em of that craze;-) Consider
>> s/MUST/need to/ here.
WFM.
>>
>> - 2.1: ought there be a registry for token_type_hint values? It
>> looks like maybe there ought be.
I think a registry is overkill for this kind of thing, but I suppose it 
could be set up. It's meant to be a *hint* to the server as to what kind 
of token it is. If it does get set up, the Introspection draft will use 
it (if that ever can get either pulled into the WG or moved through as 
an individual submission).

>> - 2.1: "A client compliant with [RFC6749] must be prepared" was
>> that meant to be a 2119 MUST?
This is informative, not normative. You could easily replace "must" with 
"needs to" here and get the same intended meaning, which is that tokens 
can disappear when you're not looking.

>>
>> - section 6: maybe s/shall/need to/ in the last para

Same as above.

>>
>> Cheers,
>> S.
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email