Re: [OAUTH-WG] AD review of draft-ietf-oauth-native-apps

John Bradley <> Tue, 25 April 2017 13:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 43DE112EE8D for <>; Tue, 25 Apr 2017 06:10:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BbQwe494Jgn8 for <>; Tue, 25 Apr 2017 06:10:10 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 16F7112EC70 for <>; Tue, 25 Apr 2017 06:10:09 -0700 (PDT)
Received: by with SMTP id f76so63674765qke.2 for <>; Tue, 25 Apr 2017 06:10:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=mmSeoUkSmoTsk8wv4ofxFqZW1VZE1Tfvubi+L5oO/7c=; b=DWgZrEPAN12FBy5vYmR4c9lXrkHK2hepXV31DNx4Ss9HmAyIzcdxvSncMtRBSp8gaF i3pLyX6tX8G0cSdiDI0HCKYwpFvwi8OcJZXBCXeJFhHinsIYandZPC5V1n5HpWYwVBLk /dYe7x75JpXrzGWtXaH8x7qB6HkGYZNODr9pLZsTnwidfiyUGVdC4KzSSpoqLtulKxZS JFV/Bk8yk6eExX+G/RIbQwjezSG6Jzus9UO3wta5/BDOLoA6PvnMYGsJQbJAiMU+MTAi 5VyTz0dgSKhMYeAY57+tvhrNKY8n19kAXHYA5OWiYmD51x/P3Ljr/Zqxyn7t4u1rjYob Hgjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=mmSeoUkSmoTsk8wv4ofxFqZW1VZE1Tfvubi+L5oO/7c=; b=YVcX+o0a65ZBHby+Kaq+y/k0uWNrO+gifwx+J4ZtPWJSCgi57x58M/RmDYBJxoCkbe rS+JsL/mTkNtQXELm3TTZE6pbEXOmfnBydhaY2JmCOaAzTKPkaHvrJBJh0quru6yooX3 Tosmus1QFlQ19q+uiXP5ecDSj5XAHMWdtQE89hDLPUndInrQ4J2APCXi7ESImv46agmi 64DJGSc86SConGfps7MoMS71wCKdddW5eSqNdUovy5h9lEmcRr7OuDrXieeCudC3qI15 zBbqNz8trlgMhqtl1x+CfhYYPZ/T2ZMBABte3zAbNG1HgANTqYO+03iZJHjPHlcpm4EN qCgg==
X-Gm-Message-State: AN3rC/4squDUug0GzAPK5HfFJef4+xsJ0ObBhQXHJADBLQx58ZzSPnZj qLnplmoxsMDlLaKV
X-Received: by with SMTP id z129mr29334577qke.308.1493125808997; Tue, 25 Apr 2017 06:10:08 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id h37sm6610718qtc.47.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Apr 2017 06:10:08 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: John Bradley <>
In-Reply-To: <>
Date: Tue, 25 Apr 2017 10:09:56 -0300
Cc: "" <>
Message-Id: <>
References: <>
To: Kathleen Moriarty <>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c06569477b940054dfd71b5"
Archived-At: <>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-native-apps
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Apr 2017 13:10:13 -0000

Thanks Kathleen,

William and I will address these shortly.

We can take out the IANA section completely if you think it is better.

In the current implementations on Android and iOS Universal Links/App Links and  are only http or HTTPS schema URI making them URL.

So while all URL are URI, we could be more specific if that is OK with the style police.  I thought the URL term was currently discouraged..

John B.

> On Apr 24, 2017, at 10:47 PM, Kathleen Moriarty <> wrote:
> Hello,
> Thanks for taking the time to document this best practice and the
> implementations in the appendix. I have one comment and a few nits.
> Security Considerations:
> I think it would go a long way to organize these as ones that apply to
> this best practice and ones (8.1 and the example in 8.2) about
> alternate solutions.  This could also be done through some added text,
> but making this clear would be helpful.  Maybe moving 8.1 and 8.2
> until after the rest of the sections would be enough and then clearly
> state the intent of this text.
> IANA Section:
> Just a note - you might get some questions about this, but i do think
> it's fine to leave that text, although unnecessary.
> Nits:
> Section 5, punctuation
> OLD:
>   By applying the same principles from the web to native apps, we gain
>   benefits seen on the web like the usability of a single sign-on
>   session, and the security of a separate authentication context.
> NEW:
>   By applying the same principles from the web to native apps, we gain
>   benefits seen on the web, like the usability of a single sign-on
>   session and the security of a separate authentication context.
> The document has text that says 'native app' in some places and 'app'
> in others, I assume these are used interchangeably?  It seems that
> they are used interchangeably.
> Really nitty:
> Section 7.2,
> Since you are still in the example, did you mean URL in the following:
> Such claimed HTTPS URIs can be used as OAuth redirect URIs.
> Such claimed HTTPS URLs can be used as OAuth redirect URIs.
> And again in the last paragraph of this section.
> I'm only asking since you specify URL earlier in this section, so you
> were more specific for the example and then drop back to URI (which is
> correct, but wondering if you wanted to continue at the same level of
> specificity or if there was a reason to just say URI here.
> Section 8.11
> s/uri/URI/
> -- 
> Best regards,
> Kathleen
> _______________________________________________
> OAuth mailing list