Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-14.txt

John Bradley <ve7jtb@ve7jtb.com> Wed, 08 July 2015 01:29 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 734621B2C95 for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 18:29:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pXJ47ELpPL-d for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 18:29:03 -0700 (PDT)
Received: from mail-qk0-f178.google.com (mail-qk0-f178.google.com [209.85.220.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E74461B2C94 for <oauth@ietf.org>; Tue, 7 Jul 2015 18:29:02 -0700 (PDT)
Received: by qkbp125 with SMTP id p125so153246128qkb.2 for <oauth@ietf.org>; Tue, 07 Jul 2015 18:29:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=WJf9flU52PEWabQsSv2kLNUaXKi0FYP90TdZOz/xS/0=; b=M12BqNfx/tWItic0O60UmsFtG7EDpFCLtqMeuBaMPB3V9X7vw9Pv1SGjG/xfE3lvcf njeW9VfkozVUDxYgWXlYW05sgoXqVerfm6b41ihl1bGniUbJiXrXYN4Wyhh7uINB3vbW djfMWrcsw17yAwgnXyFWwD1P8jD3wSHKRotoVxWefFpqzc/B8tIFIDjon+H9faJJdu/i QACvYH1OPXGrlrMQV5rC1WWBVvxhLFDmsMMIOcx8EdQh6gWdFAZFGUdQoRuIwBfwgheQ 1mX5quOokk1xhRri7/r1UHsmxUKeJsvHycmL8Z2bex02cGOfQg6ncLSbTVHFQMceBNto tskA==
X-Gm-Message-State: ALoCoQkzn2Norrj5mTAE/qZjz6T5u0hg37kEyJIfw1JnGLkDMbX1uqNnOrSgJ+temz7lxWQMKTKy
X-Received: by 10.140.194.199 with SMTP id p190mr12492473qha.76.1436318941774; Tue, 07 Jul 2015 18:29:01 -0700 (PDT)
Received: from [192.168.1.216] (181-163-0-38.baf.movistar.cl. [181.163.0.38]) by smtp.gmail.com with ESMTPSA id p52sm424738qge.25.2015.07.07.18.28.58 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 07 Jul 2015 18:29:01 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_532BE63E-19B3-4868-84E9-FAF42E895238"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAAP42hD=CXnWUgQ5b=cgtqp2TkOgXWQ89yZtyEJe9_19K+72Mw@mail.gmail.com>
Date: Tue, 7 Jul 2015 22:28:46 -0300
Message-Id: <68C4B3E0-0A40-4035-A6B8-EB553573BE5D@ve7jtb.com>
References: <20150706230550.12450.15077.idtracker@ietfa.amsl.com> <CAAP42hD=CXnWUgQ5b=cgtqp2TkOgXWQ89yZtyEJe9_19K+72Mw@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/RNElZLGeH1pYgFzlABe3FuQTzsU>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-14.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 01:29:05 -0000

Thanks, I fixed my finger dyslexia for the next draft.

I changed it to t_m rather than “t”  I think that is clearer.  If I were to do it the other way XML2RFC would have double quotes in the text version.

John B. 
> On Jul 7, 2015, at 9:38 PM, William Denniss <wdenniss@google.com>; wrote:
> 
> In version 14, there's a typo on this line ("deso") in Section 7.2:
> 
> `"plain" method deso not protect`
> 
> Also, in the 1.1 Protocol Flow diagram, regarding the text:
> 
> `+ t(code_verifier), t`
> 
> I wonder if it makes more sense to represent as `+ t(code_verifier), "t"` (note the quotes on the second 't') given that it's a string representation of the method that's being sent?
> 
> 
> On Mon, Jul 6, 2015 at 4:05 PM, <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>  This draft is a work item of the Web Authorization Protocol Working Group of the IETF.
> 
>         Title           : Proof Key for Code Exchange by OAuth Public Clients
>         Authors         : Nat Sakimura
>                           John Bradley
>                           Naveen Agarwal
>         Filename        : draft-ietf-oauth-spop-14.txt
>         Pages           : 20
>         Date            : 2015-07-06
> 
> Abstract:
>    OAuth 2.0 public clients utilizing the Authorization Code Grant are
>    susceptible to the authorization code interception attack.  This
>    specification describes the attack as well as a technique to mitigate
>    against the threat through the use of Proof Key for Code Exchange
>    (PKCE, pronounced "pixy").
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/>
> 
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-spop-14 <https://tools.ietf.org/html/draft-ietf-oauth-spop-14>
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-spop-14 <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-spop-14>
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>;.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth