IETF Logo Mail Archive

[OAUTH-WG] AD review of draft-ietf-oauth-iss-auth-resp-02

Roman Danyliw <rdd@cert.org> Wed, 27 October 2021 19:41 UTC

Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53AB53A1145 for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 12:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLTbKuqZ6Qju for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 12:41:13 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0094.outbound.protection.office365.us [23.103.209.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0A483A11CF for <oauth@ietf.org>; Wed, 27 Oct 2021 12:40:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=C98sjuLCJRYQGKYUQgZYFD/J7ARY5gaqYi+85s9nhcvu5JWpf58RekvxaNjXepMUWDjEuhIpCVkjVSrlepDS+DJCD8zMa3Ds325C2yhaPaWjI3iOyEP9G4EmQrgCFSuspN4+A3LrITXCnumHAFDRJW584NWBWoXPq6/RnTU3jPykzeQCJEUyoaj3sus5lIB/DVIr09EmJsQTUSEQ3lQ77Y514yGNPTAnI7su0TrxnBYu0gJjRIOox+NyrTwTmWUJNa7Lgo0KTSGm6unFEOVq6qv3wFJkKCQc/e4YkASMiKcMdYhvwpfS35jOAuCVID0Aj3+i2Z+MVP+mGJp40VgxZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6M2eMLygO11TRXzDxO7ZatyldLqZ2jCSy1zelhNAhIc=; b=L12FAygVfqJ2lvR8/kDQD3TkmEhzHv2sEjWcvGdJd0eMH0J6mdDhLDadzUTKt7bSFfujoSLRMWGlf/JyGNp/pWxqUZotJPVhnNDninC+dKdlTV/wDk9dfS+WL62hxvXCzkx3wgTWsK2/RSDEjkgJKQe4aeJQCL93kY5linBWRwLNo9BHt5/SgQiZ+LQAlFY9DwMU8huyzyK3TgV8ZF5nLmoljSip/qmgu1ZbnWQOLZhO+Lodzeaq6mbSGcak7k0cUIpeyVnE17aj/yzN3z3uSOlk9JnrBp0uuxz3DozfGQvJu/SkIf3N7PvNQLvC0tzjTKJO/sbooQVHDQoeyp8BLA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6M2eMLygO11TRXzDxO7ZatyldLqZ2jCSy1zelhNAhIc=; b=ctbpXgwFFv8yqPHI4RdQEBJcgvtQVJoBW7xZaRYYlnF2NH+70NRJrPoPpR8YOodiVJs93G17m3xgSP3F9PVr6ukBknqISaSMyTCpfm50hFofmrHepv4X7/XuX9hUbZeGF2Mmmb2poXVbV5/lnam8wkRanM8lm/e1TkeMdlOtAq4=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::12) by BN1P110MB0612.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.14; Wed, 27 Oct 2021 19:40:47 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f%6]) with mapi id 15.20.4628.023; Wed, 27 Oct 2021 19:40:47 +0000
From: Roman Danyliw <rdd@cert.org>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: AD review of draft-ietf-oauth-iss-auth-resp-02
Thread-Index: AdfLaSAuCjidQQ7nTeiwUiF0SJ0vyA==
Date: Wed, 27 Oct 2021 19:40:46 +0000
Message-ID: <BN1P110MB0939DFB7DCA3DBBE3CCA7B53DC859@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 61fbc538-8009-486b-049d-08d99981ac4d
x-ms-traffictypediagnostic: BN1P110MB0612:
x-microsoft-antispam-prvs: <BN1P110MB0612B2A7389C474CDD0FBD4ADC859@BN1P110MB0612.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: d/8m1h4PLf3AZ7fZk1r+rL2vh+k8uFGSas8JtXFPLmPJrBm6cNJDQbhB3ztEcImo1IPYUBvP91a6fr6d+fFk3c67vFtRgiZKl4swpIA1lORqisKVUeU/jK6OtWaxFdTyomSLguKRI2+HlwxS+E1Wcbmc5w9aFKY2JyfhNqkmXdlOet7WAdhKcnyrVSTu2xckhN78tywE9EFVQ+lfk69qRXm6jIXb3Qycpw0LBf643aOFguCA55bVHQ27A2vR+7B9Xz3aZunadAud571xAyacStVqp183CYl9NWvpr7kFxy4MlDj5jLqaNGAsn5BUQDBW9tnGZ2MyJ/NFwJYGjls9c3JsBbSRrl8UD9AAEBcpg0JIx8p1faNrToUfBVfWJxHLIOGYCzY0ebTjwpLXtVupWmW8d7tqDTBS7vFG0b20oovIW2v1//K0tDH2YM93QAdjSZ9jty3bzDM3qbYexJTN5/daMajyux/piRjJPGtcixmS901Oy6T/9ZEpwdiuZpV5w1w+vPFfGbv5oN+QIMA4IrGneTQuEgmd0MfKvnsEL5jA8VSDVTySG0NLmzd80Uz0M/FVQnPiSs7CAYaHRWJtraTsfQpOvW/x3/4pw4XHuw/H8gV7wyhvq1EABW3xwbCfqWnut6ik31vcjL84HcbR2FiQoKaxz615l8QY/GPRjlYZoCDMZbf6DeRfZc7szMUTqsLj1hfvV8kwXRdhyrskFQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(26005)(6506007)(71200400001)(5660300002)(498600001)(186003)(55016002)(6916009)(2906002)(9686003)(66946007)(33656002)(7696005)(38070700005)(4744005)(66446008)(82960400001)(64756008)(76116006)(66556008)(66476007)(52536014)(122000001)(8936002)(8676002)(38100700002)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VFpl2pwnZ4rpjJE2MzJTQZ/XLp4LklmLltPM4xV2ghNx/IgPjy6CxsVfcz/nA1pso3HlhkpUlMwoJrgkZdiZPIFfsh4noHE8D5nSFTNCevveWPzFSHfckwCXgY4z8T/fwbKrO8914Zo9fVoa7aDrN9/mebm6qCJ3vpPqF85WNUhZIyugRB2pxBTSAglbGmr9Zsxeqx31kxYHMf++DaOjimn1G9Q5u3vZ/zWLd3MhRYAZGtrJawQc5Hrqv9vg5e9koGfW65glNt6jHKQ1qZF3oVMZg6tuRr/ekwMPAURS25V3BlBdNCzvQ89E2sdt2AZvXlSsggeeJLtIqHSmgfHRR6TwJvWo06ywUVx1Kfbzh92QtZU62w0gCjOlhuZJK+9okhZC6uc3DBhjrbLINT2+1q1SSJ/7iPuVehWcUoPL6exbAkanifA5lFdOwAXYpLiLM7Yo10VfqoJduzWuHrdRBdpyPDqPbaNUqg/nxvPbUHI9ehynT2XdqfDZ49/lYyBt1RiEAtcWPCZr6dcCcew55stY9+yNBrReaOiw1gbD20bpB96bJEC4LbiAXoD3mCM/ecPYMAboOLJz8ej6yqWYsjn6BQIo6SciB4PYUzVHrCJ63oG35hx6H4CTW8ew+QFxkf1r7XjmhMW9VgF0hS1PoUbYKycPK9Yz07filPKVu2TsXEq9U6XXvCU/GAdMF8spRwh6CylYd+yA0Agbej4ZOhDMnAda2kNy7He1hxzU/Ssjhdyp9sggOZgmHXILJjxTDSD8mZ4h+0e7jclsR94I329JuwjknseUOeM5QWEyj9hcjNwz+nUQWmIGfBuzJ1gOqgFJEwUXZlEeq8+josjBroVDSksquTJI8AJwR3O6NA/ZrtcMr9f26jw0Q4t0MkRgPvS6mZEZMQGfinjGwO5yegm7uygVXadzSqEpzd4UNRkU9TYAA/zg7NuKzsDxu62MVk9z/0d5YnLP4syQ+8vC5V+Ko79zehKBDlwZy5L+damGyzULkmAkX/Lts6xPjCYq7WYNuMKP2Lj8AhDK5fhptx2l+991py5gfYyyh+b4r5AnZAKta2A/i8pa6TUJWWAnkgi8UBpy8ln2kqgVkQeuYP84a6NCncsJykTOUBQmjkTfQs4wz4Ui5i3EJ/TOvIflItqjD8YEYUiB7dxpFbHkfwTeO7Ycb4dFt/GXoa6AhJFONOYerK10Rie4RowyO7NZGa220YBfYV3oiwbYOtPCn9fhg7/QH919PqrYq9rTqzM=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 61fbc538-8009-486b-049d-08d99981ac4d
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2021 19:40:46.9765 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0612
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HlzumKBfuimwEbt6FtVuYXTdTKI>
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-iss-auth-resp-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2021 19:41:17 -0000

Hi!

I performed an AD review of draft-ietf-oauth-iss-auth-resp-02.  Thanks for documenting this mitigation.  

The document is in good shape so I am advancing it to IETF LC.  Please treat these minor comments as part of that feedback:

** Section 2.4.  Editorial.

   The decision of whether to accept such
   responses is individual for every scenario and it is not in the scope
   of this specification.

Would it be more clear to say:

"Local policy or configuration can determine whether to accept such responses and specific guidance is out of scope for this specification."

There is also similar language in the next paragraph.

** Section 5.1 and 5.2.  Per the "Change Control" field, please s/IESG/IETF/

Thanks,
Roman

v2.23.0 | Report a Bug | By Email