[OAUTH-WG] draft-oauth-browser-based-apps
Deb Cooley <debcooley1@gmail.com> Thu, 16 January 2025 14:27 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CAB6C1D8764; Thu, 16 Jan 2025 06:27:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.856
X-Spam-Level:
X-Spam-Status: No, score=-1.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C84vRDKmn0Dk; Thu, 16 Jan 2025 06:27:51 -0800 (PST)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0DF9C1D8D7E; Thu, 16 Jan 2025 06:27:45 -0800 (PST)
Received: by mail-pj1-x102e.google.com with SMTP id 98e67ed59e1d1-2efd81c7ca4so1443532a91.2; Thu, 16 Jan 2025 06:27:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737037664; x=1737642464; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=EKlSQ6wGdUqCjE6+jO8PszeLFvW7rfMCwI2EF1esyQ8=; b=WFxPDwd3OXQg2BD83Usn8NUKwfXJzOVt4iHC6MZIyjbOHfOhhc9Y23bB6g01N+lgQQ ZR1dPZw8AubvQjV/jNML+wSQnXNptAb/k1kvOTBbbftsFbcOIgbHt3pbumhj2332ul/w 3TEC3wAhzlqCXyxjOJvYvFLs9lc63aKZ9wQGaMfeH3phPb5jyFwI6TtgYPldlsjBMBqg sylrconX+hAOQ68xDp4tsJdDyE77k2ghluzHZdpMklATV/ROTs5qRL+KkFkS5szgUTZQ 3ISKkSQEO37/nxtsq3sUwPKECfaAgB4L5MwMoXqKWoE67/lVT4yu1BqZBD9ptclXAJ/O 3BRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737037664; x=1737642464; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=EKlSQ6wGdUqCjE6+jO8PszeLFvW7rfMCwI2EF1esyQ8=; b=BXWzcgeYAfV5ck3Xp9cxdogCnsqvaJwXu/5W6HOKfe7SF6Pys0JXJ9ZsB6U/AajiAn eyu9GFEEGEG0FeC+8mKi2NfXEUc8MsuG/qLr5U4Th8beTDZRXjvOwvCTK3sU90GxjAVS WWUn3O/2M2BOBahHUQaKLL7NNypfaCCdManfTuZpUufHmATkTG9tUhrem4PbIOGpSGwG AaaIZemQE/+XjcFp3r9aUL2joZoILqFtNQKiRHZ/+TqiKYv+YAFYduKI2oBfM4nuLIkf UrRgLWGrvT1mFS+S+UKv8CNTnDTcw1PCICvbDiuOkLNGBY4Tlp1NwA1F6NS0y1IeZsR3 P9ow==
X-Forwarded-Encrypted: i=1; AJvYcCVnLmvzldB3W7IzScEsF7uKMa9suSb0EkBH6HHBqbKS9kk2SWBxepknTIRvPPhu8lsM6srsBeBl0uIeXuAshbEmqHh+MRHV4LTyxsnuRT8KuX3BC+SlYg768dr6@ietf.org
X-Gm-Message-State: AOJu0Yz7Fmt6hAHfgJA+lSMnTfwMDI1Vq7/f056qVkzCpUFSloEcBUDw hGTxJ9yvczDhPwlP5/WwYQyobAlOYq1oDSvI6XCVYDtRr4AaMNT6RVNPxKInEFLnku8RWIFcxn1 Q/Oa9l0pDEdESPYbGeRajEQKQzvgWTIQ=
X-Gm-Gg: ASbGnct4u+s7J3mYMQGN6fOAREz8ylW85XOCWFADgHin5c4v7GjA19KGbgh9+t2O0IJ vHRgOcH6Bl0Xm2+JxZ4O2dvaETLQI3nWkXMumhQ==
X-Google-Smtp-Source: AGHT+IFoM9OdKmaWTNW7xQOhOEmsRfvGZCieeNekEfABu3ut3vwK3UFpf/h3cPCgbTDftiwqahNHXF6aQxPz56mK72A=
X-Received: by 2002:a17:90b:5687:b0:2ee:6d08:7936 with SMTP id 98e67ed59e1d1-2f548edf307mr47092427a91.20.1737037664217; Thu, 16 Jan 2025 06:27:44 -0800 (PST)
MIME-Version: 1.0
From: Deb Cooley <debcooley1@gmail.com>
Date: Thu, 16 Jan 2025 09:27:33 -0500
X-Gm-Features: AbW1kvaoQNLva3m5nTGdXHxdBARHI_EyDVVF3RdGaj1paWsF4znUllABGgu65Kg
Message-ID: <CAGgd1OcTGfQ38Yf7FJ+g8t70UbOVw-LLco28P3t1=J5Mc5j_+A@mail.gmail.com>
To: oauth <oauth@ietf.org>, draft-ietf-oauth-browser-based-apps.authors@ietf.org
Content-Type: multipart/alternative; boundary="000000000000eff3e8062bd398ba"
Message-ID-Hash: 45HAAOI3LNLYQDCIFMC62CLTSIJVOXKP
X-Message-ID-Hash: 45HAAOI3LNLYQDCIFMC62CLTSIJVOXKP
X-MailFrom: debcooley1@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth-chairs@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] draft-oauth-browser-based-apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/S8MKp70HLauXSQ8qg5vF5h89usY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Here are the comments on my AD review of this draft. Most of them will be easy to fix, except for the normative references to changeable standards: General: There are more than a couple of Normative references that are pointing to 'living documents'. From my reading of the draft these include: Cookie Prefixes, Fetch, Web-messaging, service-workers, webstorage. If at all possible, we need to find a way to specify a particular version via commit, snapshot, archive to make an immutable version. Or find a way to make them Informative. Basically this draft will be an RFC - immutable, yet a few of the Normative references are changeable. BCP 14 boilerplate: idnits (a little blue button '! Nits' on the line above the text of the draft on the main datatracker page). is throwing errors on the BCP14 boilerplate. Ideally, I'd like these fixed before moving this along (it just eliminates problems down the road). Section 6.1.3.2, para 4: '...the BFF SHOULD encrypt its cookie contents.' Why not a MUST? Under what circumstances would it be reasonable to ignore this SHOULD? Section 6.1.3.2, last para: Add this to the (Informative) references. Section 6.3.4.2.2, first para: Add 'CrytoKeyPair' to the (Informative) references. Section 7.4, first para, last sentence: Nit: 'This restrictions' should either be 'these restrictions' or 'this restriction'. Section 11: RFC6819 is a normative reference, but it is Informational. We need to call that out in the IETF Last Call, and I have to approve the downref (which I will do). Deb Sec AD for oauth
- [OAUTH-WG] draft-oauth-browser-based-apps Deb Cooley
- [OAUTH-WG] Re: draft-oauth-browser-based-apps Rifaat Shekh-Yusef
- [OAUTH-WG] Re: draft-oauth-browser-based-apps Aaron Parecki
- [OAUTH-WG] Re: draft-oauth-browser-based-apps Aaron Parecki