[OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)

Ben Campbell <ben@nostrum.com> Tue, 23 May 2017 21:48 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ED06128CDB; Tue, 23 May 2017 14:48:03 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Ben Campbell <ben@nostrum.com>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-oauth-native-apps@ietf.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, oauth-chairs@ietf.org, Hannes.Tschofenig@gmx.net, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.51.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149557608311.28484.15294343372018912184.idtracker@ietfa.amsl.com>
Date: Tue, 23 May 2017 14:48:03 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ksx8LMvrPLq_H11LuhQ_ehzsI1I>
Subject: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 21:48:03 -0000

Ben Campbell has entered the following ballot position for
draft-ietf-oauth-native-apps-11: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I agree with Adam's general sentiment about detection of bad behavior vs
asking people not to be bad.

-8 and it's children: There seems to be a lot of duplication (including
duplication of normative language) between the security considerations
and the rest of the document.

- 8.7: This section seems to argue against using in-app browser tabs in
the first place. If there is no good way for the user to tell the
difference between that and an imbedded UA, then maybe we should train
users to be suspicious of any in-app presentation of the authorization
request? The last paragraph seems to be founded on a mismatch between
user needs and typical user sophistication.