Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
William Denniss <wdenniss@google.com> Fri, 18 January 2019 01:41 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEFD9131067 for <oauth@ietfa.amsl.com>; Thu, 17 Jan 2019 17:41:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.641
X-Spam-Level:
X-Spam-Status: No, score=-17.641 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gdbGYnUcqzaw for <oauth@ietfa.amsl.com>; Thu, 17 Jan 2019 17:41:01 -0800 (PST)
Received: from mail-it1-x135.google.com (mail-it1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA610130F2F for <oauth@ietf.org>; Thu, 17 Jan 2019 17:41:00 -0800 (PST)
Received: by mail-it1-x135.google.com with SMTP id h193so3847663ita.5 for <oauth@ietf.org>; Thu, 17 Jan 2019 17:41:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fpBlGixABAx4i30jAeEAFxRIyP3K+wUc/ZMFt9o3pHQ=; b=H7gwabJCBzE8FSniTRweSw0R3fUhZiSOY4+KQzTNcjbj3DcvodpAD8ljANdYROtdeY CHAL6KWvv1AE+gTziTqEaQ6XuKbK1EVUgIex1tbTaKDZWk86v7nz9GBa/ajL7bOGA+VN oh4aDlR5rIfSbrnnIESCKKKppwaiLMsTvNS1TLIdZeVqcKe5O34pIfxQEx7ymrdXyLRv DBIAjcEDViI8m9rPdw1px3TAVfHm3+jzP88iGhX9W8wN7AX/ryPNx9LSD8Ea3w+2r3NO ggxl31JE7iqTLbzmXijIklw0tdDEW0d6h08AHecpglJgwNC06tpHTyjx4L8BkGGvgjZx iTBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fpBlGixABAx4i30jAeEAFxRIyP3K+wUc/ZMFt9o3pHQ=; b=KXfq5j0/x755LYkV+EHwb6f+7NQHeuieiDTqPrqaAGbmVBOs01ZqoLIrw/tj4qG7qL wXD7TzjLxxBt+AkgcxhFUYa0NmUv3EnBNZMBwoiMEfs6EcFnywFKC3E6I/Tag89609lr kcDpkyygy3HhHGClfjnCC4EH7+hmRHLn6aEDViRcjVzRbWt7zP0HM1/LPYIphf1/DtUB 22/b1HW35LOdZOPYyTkwK/MdY51QAcWY4OIQyCpCma/kWSBTftsQeNcH5EN/fugv0Gr3 BqBmIimhDUE+OajnS8Ti0JL3jehCs/GGStMAvb3VP117em+LVG3K0Eucl5maUn7h9s9I OuKA==
X-Gm-Message-State: AJcUukd5m1sOXk/A3UjSJ+KaWkFq0NpfdTB88q++8L99m01m7oeoAydq +9EdgcpbC1p3DhGCicvr/x35rcXj8jeYka6SJoZBKw==
X-Google-Smtp-Source: ALg8bN535S0ws+CjKygWkRzIPPGg7WYFnW4ANbsgHrh2ZaTFYn7a/BVPMJPmy/nNcTFoXIZVI22lPKPY3PGNlMzApt0=
X-Received: by 2002:a24:8d45:: with SMTP id w66mr9335448itd.137.1547775659699; Thu, 17 Jan 2019 17:40:59 -0800 (PST)
MIME-Version: 1.0
References: <153315936951.22029.4751693198552667112.idtracker@ietfa.amsl.com>
In-Reply-To: <153315936951.22029.4751693198552667112.idtracker@ietfa.amsl.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 17 Jan 2019 17:40:48 -0800
Message-ID: <CAAP42hBSDK8eREiFyBef3NPMTr8hrxUnjjv+J6Eo4Yk_0O_==g@mail.gmail.com>
To: Ben Campbell <ben@nostrum.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow@ietf.org, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth-chairs@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000063fd06057fb19ad1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/K3UrQM25lBMVxTAJ8YPykWbOzoA>
Subject: Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jan 2019 01:41:04 -0000
Hi Ben, Thank you again for your comments, and sorry for the delay. I believe they are all addressed now in version 14 <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-14>. Detailed replies below: On Wed, Aug 1, 2018 at 2:36 PM Ben Campbell <ben@nostrum.com> wrote: > Ben Campbell has entered the following ballot position for > draft-ietf-oauth-device-flow-11: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Major Comment: > > I support Mirja's DISCUSS. (Otherwise, this would be a DISCUSS), but I > have a > slightly different spin on it. The device polls the server while waiting > on the > user to take action. Users are notoriously slow about that sort of thing. > They > might plug in a device then walk away for hours, days, or forever. Now, > consider that we are talking about IoT devices, so there may be millions of > them. If they are fate shared in some way (imagine shipping day for a new > popular product, or a software update that forces reauthorization, or a > server > coming back online after getting whacked the last time around), there > could be > millions of them trying this at the roughly the same time. > > Given all that, I think the draft really needs to give more detailed > guidance > on what sort of refresh rates, maximum attempts, expirations, back off > patterns, etc might be reasonable from both network congestion and server > overload perspectives. > > Added some text to address the requirement for user action: Due to the polling nature of this protocol, care is needed to avoid overloading the capacity of the token endpoint. To avoid unneeded requests on the token endpoint, the client SHOULD only commence a device authorization request when prompted by the user, and not automatically such as when the app starts or when the previous authorization session expires or fails. And further down, added text on network timeouts: Clients on encountering a connection timeout MUST unilaterally reduce their polling frequency before retrying. The use of an exponential backoff algorithm to achieve this, such as by doubling the polling interval on each such connection timeout is RECOMMENDED. > Other Substantive Comments: > > §3.1: What sort of events are expected to trigger the flow? In particular, > I > wonder if there should be guidance to make it unlikely to start the > process by > accident. For example, if the authorization process is kicked off by a > device > simply being plugged into power, a user might plug it in then walk away > before > realizing they had more to do. (See my major comment). > Good point. Added text that there should be a user action (see above). §3.3: What sort of bad thing could happen if the device_code is > communicated to > a user? Do implementers need to worry about people guessing device-codes? > Users discovering their own codes falls under client impersonation (clients being impersonated can also just request new device_codes). Added a section directly discussing device_codes in Section 5.6 Non-confidential Clients. The section titled "Device Code Brute Forcing" covers the guessing problem, Section 5.2. > > §3.3, last paragraph: The "NOT RECOMMENDED" seems overly strong, given > that the > next section describes a perfectly good way to do exactly that. Maybe > something > like "NOT RECOMMENDED unless the device uses a non-textual mechanism for > conveying the URL and code, such as that described in ..." would make > sense? > This section was reworded, it currently has a NOT RECOMMENDED for including the user_code specifically in the `verification_uri`, and mentions that there is a designed way to do this as well. > §5.4: Are devices expected to know the operating environment in advance of > deployment? > Generally yes. > Editorial Comments: > > §1, 3rd paragraph: The first sentence is hard to parse due the list of > long, > complex phrases. Please consider breaking into simpler sentences. > That's done. > > §2: There are lower case instances of normative keywords. Please consider > using the updated boilerplate from RFC8174. > Boilerplate is now RFC8174. Best, William
- [OAUTH-WG] Ben Campbell's No Objection on draft-i… Ben Campbell
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… William Denniss
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Ben Campbell
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… William Denniss