IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revocation-04.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 07 January 2013 16:18 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF84021F8994 for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2013 08:18:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzbxnfDkM5Wj for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2013 08:18:55 -0800 (PST)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.102]) by ietfa.amsl.com (Postfix) with ESMTP id 8B09621F892E for <oauth@ietf.org>; Mon, 7 Jan 2013 08:18:54 -0800 (PST)
Received: from [79.253.14.73] (helo=[192.168.71.36]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1TsFPY-0008BK-Qv; Mon, 07 Jan 2013 17:18:52 +0100
Message-ID: <50EAF568.8000201@lodderstedt.net>
Date: Mon, 07 Jan 2013 17:18:48 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>, OAuth WG <oauth@ietf.org>
References: <20130107120057.29202.70722.idtracker@ietfa.amsl.com> <50EABAB0.4060807@lodderstedt.net> <50EAF409.80704@aol.com>
In-Reply-To: <50EAF409.80704@aol.com>
Content-Type: multipart/alternative; boundary="------------060100080609050408000303"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revocation-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2013 16:18:56 -0000

Hi George,

thank you for pointing this out. Your proposal sounds reasonable 
although the revocation spec does not build on top of RFC 6750.

As refering to RFC 6750 would create a new dependency, one could also 
argue it would be more robust to leave both specs separated.

What do others think?

regards,
Torsten.
Am 07.01.2013 17:12, schrieb George Fletcher:
> One quick comment...
>
> Section 2.0: Both RFC 6750 and this specification define the 
> 'invalid_token' error code.
>
> Should this spec reference the error code from RFC 6750?
>
> Thanks,
> George
>
>
> On 1/7/13 7:08 AM, Torsten Lodderstedt wrote:
>> Hi,
>>
>> the new revision is based on the WGLC feedback and incorporates the 
>> following changes:
>>
>> - renamed "access grant" to "authorization" and reworded parts of 
>> Abstract and Intro in order to better align with core spec wording 
>> (feedback by Amanda)
>> - improved formatting of section 2.1. (feedback by Amanda)
>> - improved wording of last paragraph of section 6 (feedback by Amanda)
>> - relaxed the expected behavior regarding revocation of related 
>> tokens and the authorization itself in order to remove unintended 
>> constraints on implementations (feedback by Mark)
>> - replaced description of error handling by pointer to respective 
>> section of core spec (as proposed by Peter)
>> - adopted proposed text for implementation note (as proposed by Hannes)
>>
>> regards,
>> Torsten.
>>
>> Am 07.01.2013 13:00, schrieb internet-drafts@ietf.org:
>>> A New Internet-Draft is available from the on-line Internet-Drafts 
>>> directories.
>>>   This draft is a work item of the Web Authorization Protocol 
>>> Working Group of the IETF.
>>>
>>>     Title           : Token Revocation
>>>     Author(s)       : Torsten Lodderstedt
>>>                            Stefanie Dronia
>>>                            Marius Scurtescu
>>>     Filename        : draft-ietf-oauth-revocation-04.txt
>>>     Pages           : 8
>>>     Date            : 2013-01-07
>>>
>>> Abstract:
>>>     This document proposes an additional endpoint for OAuth 
>>> authorization
>>>     servers, which allows clients to notify the authorization server 
>>> that
>>>     a previously obtained refresh or access token is no longer needed.
>>>     This allows the authorization server to cleanup security 
>>> credentials.
>>>     A revocation request will invalidate the actual token and, if
>>>     applicable, other tokens based on the same authorization.
>>>
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation
>>>
>>> There's also a htmlized version available at:
>>> http://tools.ietf.org/html/draft-ietf-oauth-revocation-04
>>>
>>> A diff from the previous version is available at:
>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-revocation-04
>>>
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>

v2.30.2 | Report a Bug | By Email | System Status