Re: [OAUTH-WG] Alexey Melnikov's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Wed, 24 May 2017 16:20 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2024128B8E; Wed, 24 May 2017 09:20:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.718
X-Spam-Level:
X-Spam-Status: No, score=-2.718 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=glOhjxLl; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=nhWSSZl4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdS9DXnjKeU2; Wed, 24 May 2017 09:20:17 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBD62129449; Wed, 24 May 2017 09:20:16 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 457CC207CC; Wed, 24 May 2017 12:20:16 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Wed, 24 May 2017 12:20:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=gxbQTfrs+5iHEEuX/mn5WeZXC9f5C I7XMAL0A3jrFrE=; b=glOhjxLlg1rc5n/hXhOOqhLSzJtt0KzBQ6ub7K/GkVNf2 MnfoebTy7Ngx0lq5z3/FpNvvXJqi+x3NJz3weioXEEJ0ArTy/6Ia18e4E920vs0a faRCHf5RjCoyZdUaatDnFq8krd23uD4L9VaFZX/hi/UnZ+QuZWV0eAm+j8ErDHtP 08ms9fdK0pSHIufDZfqSsU5NdTjRTVVA80Jbr/XfH/1KxzIcIM4ZXz1gHXTeTjMK 7yd3x0D30o//pFhoT01w16DNNbd7R2hjZ+wtEVFH7ooV3cvaXH2ViWkc2cH1cWOW iJGqivNfkRCJrfuAnqDKS+039p1zmkjWeqZQuJGag==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=gxbQTf rs+5iHEEuX/mn5WeZXC9f5CI7XMAL0A3jrFrE=; b=nhWSSZl4FzWoqHV0bwWWme Y2mNC3HKFRiB8JOJfv+5fAu1CGGCiPDvofdYd8wI9c5vhIor9OZ9LQ6UIlkccC6n miYgjQXgIHj5dUqhn5LFQKSsetuKv0DywkNLgEpJXUzd9dzo6jQeJ1bjvuqELLrp +awNbnNk5NImAPzYITGHDH+rmROR8MmDoRNMW7GZf8DmlLQFLdcf4cl5tWvZQllz qT20XRoIJr7s8+aGfteSFHRjXo5G/AmgM1/hkYEb7DofMJQs5HfnxhhKO9zsHa5i lUGjBRjoXVUrPaxEcPAmXMsjuUTEeJjtbFJgZDMpRKJB3Lixn7PeAlbEQGxdEf5g ==
X-ME-Sender: <xms:wLIlWa0d51iUdIaxbb3Mod26hs0X-OZ_mKcb7wvEPyC36zmhSBY2RA>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 188489E259; Wed, 24 May 2017 12:20:16 -0400 (EDT)
Message-Id: <1495642815.971519.987329656.342C84A9@webmail.messagingengine.com>
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-native-apps@ietf.org, oauth-chairs@ietf.org, oauth <oauth@ietf.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_14956428169715190"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-a5162694
References: <149563962282.28554.14590140614058686244.idtracker@ietfa.amsl.com> <CA+k3eCTOQx6Tnnk2n41GUROsD-LaOz2WwP+i=tqZGbBvR1twvQ@mail.gmail.com>
In-Reply-To: <CA+k3eCTOQx6Tnnk2n41GUROsD-LaOz2WwP+i=tqZGbBvR1twvQ@mail.gmail.com>
Date: Wed, 24 May 2017 17:20:15 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/L33zJjLHv-IH1238Xl-USCAn9_k>
Subject: Re: [OAUTH-WG] Alexey Melnikov's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 16:20:19 -0000

On Wed, May 24, 2017, at 05:17 PM, Brian Campbell wrote:
> As far as I can tell, 'NOT RECOMMENDED' is fine per RFC 2119.
> 
> 
> from https://www.ietf.org/rfc/rfc2119.txt
> 
> 
> 
> 4. SHOULD NOT   This phrase, *or the phrase "NOT RECOMMENDED"* mean
>    that there may exist valid reasons in particular circumstances when
>    the particular behavior is acceptable or even useful, but the full
>    implications should be understood and the case carefully weighed
>    before implementing any behavior described with this label.
>
> And also this errata notes that NOT RECOMMENDED should be in the first
> part of the abstract
> https://www.rfc-editor.org/errata_search.php?rfc=2119&eid=499
Never mind then!

> 
> On Wed, May 24, 2017 at 9:27 AM, Alexey Melnikov
> <aamelnikov@fastmail.fm> wrote:>> Alexey Melnikov has entered the following ballot position for
>>  draft-ietf-oauth-native-apps-11: No Objection
>> 
>>  When responding, please keep the subject line intact and reply
>>  to all>>  email addresses included in the To and CC lines. (Feel free to
>>  cut this>>  introductory paragraph, however.)
>> 
>> 
>>  Please refer to
>>  https://www.ietf.org/iesg/statement/discuss-criteria.html>>  for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>>  The document, along with other ballot positions, can be found here:>> https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
>> 
>> 
>> 
>>  ----------------------------------------------------------------
>>  ------>>  COMMENT:
>>  ----------------------------------------------------------------
>>  ------>> 
>>  A couple of nits:
>> 
>>  8.2.  OAuth Implicit Grant Authorization Flow
>> 
>>     The OAuth 2.0 implicit grant authorization flow as defined in
>>     Section 4.2 of OAuth 2.0 [RFC6749] generally works with the
>>     practice>>     of performing the authorization request in the browser, and
>>  receiving
>>     the authorization response via URI-based inter-app communication.>>     However, as the Implicit Flow cannot be protected by PKCE
>>     (which is>>  a
>>     required in Section 8.1), the use of the Implicit Flow with
>>     native>>     apps is NOT RECOMMENDED.
>> 
>>  NOT RECOMMENDED is not actually a construct allowed by RFC 2119,
>>  I think>>  you should reword it using "SHOULD NOT".
>> 
>>  It would be good to add RFC reference for HTTPS URIs.
>> 
>> 
>>  _______________________________________________
>>  OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth