[OAUTH-WG] Genart last call review of draft-ietf-oauth-browser-based-apps-22
Thomas Fossati via Datatracker <noreply@ietf.org> Sun, 26 January 2025 15:14 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from [10.244.8.248] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id 5263BC151983; Sun, 26 Jan 2025 07:14:26 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Thomas Fossati via Datatracker <noreply@ietf.org>
To: gen-art@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.33.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <173790446598.811797.1537736030508626353@dt-datatracker-5584d84fb4-tg2td>
Date: Sun, 26 Jan 2025 07:14:26 -0800
Message-ID-Hash: J2TYZL2AYQEUWCODO53NOB2EC5QWJKT2
X-Message-ID-Hash: J2TYZL2AYQEUWCODO53NOB2EC5QWJKT2
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-oauth-browser-based-apps.all@ietf.org, last-call@ietf.org, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Thomas Fossati <thomas.fossati@linaro.org>
Subject: [OAUTH-WG] Genart last call review of draft-ietf-oauth-browser-based-apps-22
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LZMIEjWy3o0Royfa4Opw6m8woyk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Reviewer: Thomas Fossati
Review result: Ready with Nits
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please treat these comments just
like any other last call comments.
For more information, please see the FAQ at
<https://wiki.ietf.org/en/group/gen/GenArtFAQ>.
Document: draft-ietf-oauth-browser-based-apps-22
Reviewer: Thomas Fossati
Review Date: 2025-01-26
IETF LC End Date: 2025-02-04
IESG Telechat date: Not scheduled for a telechat
Summary:
This is a BCP for browser-based apps that use OAuth 2.0.
It's a companion to BCP212, which contains similar recommendations for
OAuth 2.0 native apps.
This document is very clearly written, exhaustive, and well-organised.
>From a Gen-ART perspective, it's ready to ship.
Many thanks to the editors and the oauth WG.
One question for the editors and WG regarding the BCP status: is
this doc going into BCP212 or does it get its own BCP number?
Major issues: none
Minor issues: none
Nits/editorial comments:
One editorial nit regarding the use of the term "scenario" in sentences
like:
"scenarios that attackers can use"
"[...] scenarios that an attacker can execute"
To my (non-native) ears, to "use/execute a scenario" sounds a bit
weird :-) Maybe "attack _strategies_ that an attacker can _exploit_"?
Apart from that, I have packed a bunch of small fixes into a PR [1].
[1] https://github.com/oauth-wg/oauth-browser-based-apps/pull/65
- [OAUTH-WG] Genart last call review of draft-ietf-… Thomas Fossati via Datatracker
- [OAUTH-WG] Re: Genart last call review of draft-i… Aaron Parecki