Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt
Peter Saint-Andre <stpeter@stpeter.im> Wed, 23 March 2011 21:25 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AF36F3A6856 for <oauth@core3.amsl.com>; Wed, 23 Mar 2011 14:25:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.59
X-Spam-Level:
X-Spam-Status: No, score=-102.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSuTKW39pOuP for <oauth@core3.amsl.com>; Wed, 23 Mar 2011 14:25:58 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 3BC693A676A for <oauth@ietf.org>; Wed, 23 Mar 2011 14:25:58 -0700 (PDT)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id A65BD40022 for <oauth@ietf.org>; Wed, 23 Mar 2011 15:28:41 -0600 (MDT)
Message-ID: <4D8A65BF.7060506@stpeter.im>
Date: Wed, 23 Mar 2011 15:27:27 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: OAuth WG <oauth@ietf.org>
References: <CD86669D-CFBA-4557-9680-448DF65CFB0A@gmx.net>
In-Reply-To: <CD86669D-CFBA-4557-9680-448DF65CFB0A@gmx.net>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms030409040300010902000208"
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2011 21:25:59 -0000
<hat type='AD'/> On 3/2/11 12:32 AM, Hannes Tschofenig wrote: > This is a Last Call for comments on > > http://www.ietf.org/id/draft-ietf-oauth-v2-13.txt > > Please have your comments in no later than March 16. > > Do remember to send a note in if you have read the document and have no > other comments other than "its ready to go" - we need those as much as we need "I found a problem". > > Thanks! > Hannes & Blaine Sorry about the late comments. Overall the spec is much improved from the last time I read it. Naturally we all await the addition of the security considerations section, so I won't comment on those aspects until I've had a chance to read draft-lodderstedt-oauth-security in the next few days. Also I won't comment on aspects that others have raised in during WGLC. Here are a few additional points... 1. I think it would help in the Introduction to state specifically that this protocol is designed for use on the web and with HTTP (i.e., use with other application protocols is out of scope). 2. I find the concept of "implicit grant" to be a bit foggy in Section 1.4.2. A forward reference to Section 4.2 might help. (Also, it would be good to reference draft-ietf-websec-origin from Section 4.2.) 3. In the definition of "token endpoint" in Section 2, should "used to exchange an authorization grant for an access token" be "used to exchange an authorization grant or refresh token for an access token"? 4. In Section 2.1, a reference to RFC 2616 would be nice at "authorization server MUST support the use of the HTTP "GET" method". 5. Section 3 states: The authorization server SHOULD NOT issue client credentials to clients incapable of keeping their secrets confidential. How does the authorization server know that a client is not capable of keeping its secrets confidential? 6. Section 3.2 states: In cases where client password authentication is not suitable or sufficient, the authorization server MAY support other existing HTTP authentication schemes or define new methods. What is meant by "new methods"? 7. The various subsections of Section 4 have lots of repeated text for the parameter definitions (e.g., "client_id" and "scope", as well as the error codes). I think it would be cleaner to define these once and reference those definitions throughout the spec. 8. The various subsections of Section 4 also provide conflicting information about various parameter values. For example, Section 4.1.1 says of "response_type" that it "MUST be set to "code"" whereas Section 4.2.1 says "MUST be set to "token"". It would reduce the possibility of confusion to say "When the request is an authorization request, the response_type MUST be set to "code"" or somesuch. 9. What is the expected lifetime of access tokens? Does it make sense to have expires_at (in UTC) instead of, or in addition to, expires_in (a number of seconds)? 10. In Section 4.3.2 there is an open issue regarding internationalization of the client's username and password. What is the current thinking about a resolution? 11. In Section 5.1, a reference to RFC 2616 would be good regarding the HTTP "Cache-Control" response header field. 12. In Section 7, a reference to RFC 2671 would be good regarding the HTTP "Authorization" request header. 13. In Section 8.2, are we really recommending "x_"? I must finish work on draft-saintandre-xdash-considered-harmful... 14. In Sections 10.1 and 10.2, I'm uncomfortable with this text: Before a period of 14 days has passed, the Designated Expert(s) will either approve or deny the registration request, communicating this decision both to the review list and to IANA. Denials should include an explanation and, if applicable, suggestions as to how to make the request successful. Registration requests that are undetermined for a period longer than 21 days can be brought to the IESG's attention (using the iesg@iesg.org mailing list) for resolution. I suggest that we re-use the text from RFC 5988: Within at most 14 days of the request, the Designated Expert(s) will either approve or deny the registration request, communicating this decision to the review list and IANA. Denials should include an explanation and, if applicable, suggestions as to how to make the request successful. Decisions (or lack thereof) made by the Designated Expert can be first appealed to Application Area Directors (contactable using app-ads@tools.ietf.org email address or directly by looking up their email addresses on http://www.iesg.org/ website) and, if the appellant is not satisfied with the response, to the full IESG (using the iesg@iesg.org mailing list). 15. Section 10.2.1 says: Parameter usage location: The location(s) where parameter can be used. The possible locations are: authorization request, authorization response, token request, or token response. Are those the only allowable locations? I notice that the bearer token spec adds a locations of "resource request" and "resource response". I'm not quite saying we need a registry of locations, but it might be good to have a well-defined way of adding to the list of allowable locations (otherwise a document like the bearer spec might need to say that it updates the base spec). 16. In Section 11.1, I think RFC 2616 needs to be a normative reference. That's it for now! Peter -- Peter Saint-Andre https://stpeter.im/
- [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Hannes Tschofenig
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Brian Campbell
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Chuck Mortimore
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Justin Richer
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Peter Saint-Andre
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Chuck Mortimore
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Peter Saint-Andre
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Justin Richer
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt George Fletcher
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Justin Richer
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt George Fletcher
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt George Fletcher
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Manger, James H
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phillip Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Chuck Mortimore
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Justin Richer
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt George Fletcher
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Prateek Mishra
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Mike Jones
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phillip Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- [OAUTH-WG] to TLS or not on redirect on consumer … Dick Hardt
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Eran Hammer-Lahav
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Francisco Corella
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Eran Hammer-Lahav
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Prateek Mishra
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Brian Eaton
- Re: [OAUTH-WG] Authorization code security issue … Oleg Gryb
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phillip Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Brian Eaton
- Re: [OAUTH-WG] Authorization code security issue … Eran Hammer-Lahav
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Francisco Corella
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Francisco Corella
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phillip Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Chuck Mortimore