Re: [OAUTH-WG] OAuth 2.0 v21 Nits and Typos
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 20 September 2011 20:17 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 687A321F8C09 for <oauth@ietfa.amsl.com>; Tue, 20 Sep 2011 13:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.561
X-Spam-Level:
X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AqTCOZJ7xQp9 for <oauth@ietfa.amsl.com>; Tue, 20 Sep 2011 13:17:53 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id A2F1C21F8C06 for <oauth@ietf.org>; Tue, 20 Sep 2011 13:17:53 -0700 (PDT)
Received: (qmail 16452 invoked from network); 20 Sep 2011 20:20:12 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 20 Sep 2011 20:20:12 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Tue, 20 Sep 2011 13:19:37 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Anganes, Amanda L" <aanganes@mitre.org>, "oauth@ietf.org" <oauth@ietf.org>
Date: Tue, 20 Sep 2011 13:19:27 -0700
Thread-Topic: OAuth 2.0 v21 Nits and Typos
Thread-Index: Acx23/QyH/ollQzMTvycxaih82WAowA7WQkw
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72345213D92CEB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <235AEAA316C791418CE9E8FEFC77306110D6FFB801@IMCMBX3.MITRE.ORG>
In-Reply-To: <235AEAA316C791418CE9E8FEFC77306110D6FFB801@IMCMBX3.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] OAuth 2.0 v21 Nits and Typos
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2011 20:17:54 -0000
Thanks. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Anganes, Amanda L > Sent: Monday, September 19, 2011 8:23 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] OAuth 2.0 v21 Nits and Typos > > Lots of minor grammar and wording catches here. I apologize if any of these > were already brought up and addressed. > > 1.2.3, second paragraph: "When issuing an implicit grant, the authorization > server does not authenticate the client and in some cases, the client identity > can be verified..." should be "When issuing an implicit grant, the authorization > server does not authenticate the client. In some cases, the client identity can > be verified..." > > 1.5, first paragraph. Last sentence should be changed to "Issuing a refresh > token is optional. If an authorization server issues a refresh token, it is > included when issuing an access token." > > 2.1, definition of public client: last sentence ends with "via any other mean" > which should be "via any other means". > > 2.1, definition of native applications: "On the other hand, dynamically issued > credentials such as access tokens or refresh tokens, can receive an > acceptable level of protection" should be "On the other hand, dynamically > issued credentials such as access tokens or refresh tokens can receive an > acceptable level of protection" (final comma is unnecessary). > > 3.1, second paragraph. Add a comma after "beyond the scope of this > specification", so it reads "The means through which the client obtains the > location of the authorization endpoint are beyond the scope of this > specification, but the location is typically provided in the service > documentation". > > 3.2.1, first sentence. Unnecessary comma between "requirements" and > "MUST"; should read "Confidential clients, clients issued client credentials, or > clients assigned other authentication requirements MUST authenticate..." > > 4.1, section (E): last sentence is missing a subject. "If valid, responds back > with an..." should read "If valid, the authorization server responds back with > an..." > > 4.1.2 and 4.1.2.1, also 4.2.2 and 4.2.2.1, state description: last sentence is > missing a MUST. Should read "REQUIRED if the state parameter was present > in the client authorization request. The state parameter MUST be set to the > exact value received from the client." > > 4.1.3, redirect_uri description: Change "REQUIRED, if the redirect_uri > parameter was included in the authorization request described in Section > 4.1.1, and their values MUST be identical" to "REQUIRED, if the redirect_uri > parameter was included in the authorization request as described in Section > 4.1.1. If included, the two values MUST be identical". > > 4.1.3, final paragraph ("The authorization server MUST: ..."). Is any additional > normative language required for lists such as this in order to specify that the > AS must do ALL of the items in the list? Similar MUST lists appear elsewhere > throughout the rest of the document. The entire list is required. > Also, final bullet should be reworded; suggest "ensure that the redirect_uri > parameter is present if the redirect_uri parameter was included in the initial > authorization request as described in Section 4.1.1, and if included ensure > that their values are identical". > > 4.2, first paragraph: clarify that implicit grants can be used only for access > tokens by including the word "only" here: "The implicit grant type is used to > obtain access tokens only..." That might not be accurate with extensions. > 4.3.2, paragraph after term parameter descriptions: "If the client type is > confidential or was issued client credentials" should be reworded to "If the > client type is confidential or the client was issued client credentials". > > 9, bullets following second paragraph: Change this to a definition list format > instead of a bulleted list. This is not definitions. > 9, final bullet following "when choosing between an external or embedded > user-agent...": Last sentence starts "Embedded user-agent educate..." but > should be "Embedded user-agents educate..." > > 10.2, second paragraph: last sentence is a fragment. Reword to "For > example, the authorization server should engage the resource owner to > assist in identify the client and its origin." > > 10.5, second paragraph, first sentence: extraneous comma between > "authorization server" and "is". Should be "...verify that the resource owner > who granted authorization at the authorization server is the same resource > owner..." > > 10.6, last paragraph, first sentence: extraneous comma between > "authorization code" and "is the same". Should be "... the authorization > server MUST ensure that the redirection URI used to obtain the > authorization code is the same as the redirection URI provided ..." > Last sentence should be reworded; suggest "The authorization server MUST > require public clients and SHOULD require confidential clients to register their > redirection URIs. If a redirection URI is provided in the authorization request, > the authorization server MUST validate the URI received against the > registered value." > > 10.14, first sentence. Reads awkwardly and should be reworded; suggest "A > code injection attack occurs when an unsanitized input or otherwise external > variable is used to modify application logic." > > 11.1, 11.2, 11.3, 11.4: second to last paragraph is missing "(s)" on the end of > "Designated Expert" : "Decisions (or lack thereof) made by the Designated > Expert can be..." should be "Decisions (or lack thereof) made by the > Designated Expert(s) can be..." > > 11.2, second paragraph has extraneous comma after "or the token endpoint > response" : "...the token endpoint request, or the token endpoint response, > are registered" should be "...the token endpoint request, or the token > endpoint response are registered". > > 11.2.1, "Parameter usage location" description should have references to the > relevant sections of this spec, as 11.4.1 does. No similar references available. EHL
- [OAUTH-WG] OAuth 2.0 v21 Nits and Typos Anganes, Amanda L
- Re: [OAUTH-WG] OAuth 2.0 v21 Nits and Typos Eran Hammer-Lahav