[OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-mtls-16: (with COMMENT)

[Adam Roach via Datatracker <noreply@ietf.org>]

Adam Roach has entered the following ballot position for
draft-ietf-oauth-mtls-16: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------


Thanks for the work that everyone did on this document. I have one suggestion
for clarification, followed by a handful of editorial nits.

---------------------------------------------------------------------------

§2.1.2:

>  tls_client_auth_san_ip
>     A string representation of an IP address in either dotted decimal
>     notation (for IPv4) or colon-delimited hexadecimal (for IPv6, as
>     defined in [RFC4291] section 2.2) that is expected to be present
>     as an iPAddress SAN entry in the certificate, which the OAuth
>     client will use in mutual TLS authentication.

This probably needs some text that clarifies expectations around comparison
and/or normalization. For example, if the iPAddress value in the cert is
"20 01 0d b8 00 00 00 00 00 00 00 00 c0 00 02 ca" (and a mask of all F's), one
should presume that this would match both tls_client_auth_san_ip values
"2001:db8:0:0:0:0:c000:2ca" and "2001:DB8::192.0.2.202", right? If no, then
this document needs to talk about normalization of address representation.


---------------------------------------------------------------------------

§1:

>  Layering on the abstract flow above, this document standardizes
>  enhanced security options for OAuth 2.0 utilizing client certificate
>  based mutual TLS.

Nit: "client-certificate-based"

>  OAuth 2.0 defines a shared secret method of client authentication but

Nit: "shared-secret"

---------------------------------------------------------------------------
§1:

>  This document describes an additional
>  mechanism of client authentication utilizing mutual TLS certificate-
>  based authentication

Nit: "mutual-TLS"

>  Mutual TLS certificate-bound access tokens ensure that only the party

Nit: "Mutual-TLS"

>  Mutual TLS certificate-bound access tokens and mutual TLS client

Nit: "Mutual-TLS... mutual-TLS"

>  Additional client metadata parameters are introduced by this document
>  in support of certificate-bound access tokens and mutual TLS client
>  authentication.

Nit: "mutual-TLS"

The remainder of the document has several other uses of the phrase "mutual
TLS" as an adjective; they should be similarly hyphenated. I will not call
them out individually. (Non-adjectival uses should not contain hyphens, so
this isn't a simple find-and-replace operation.)

---------------------------------------------------------------------------

§5:

>  Authorization servers supporting both clients using mutual TLS and
>  conventional clients MAY chose to isolate the server side mutual TLS
>  behaviour to only clients intending to do mutual TLS, thus avoiding

Nit: "behavior" (or adjust other spellings in the document to be consistently
British).