Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-introspection-09: (with COMMENT)
Justin Richer <jricher@mit.edu> Tue, 09 June 2015 16:07 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF3A91A8AB3; Tue, 9 Jun 2015 09:07:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FhYF0uMNirq6; Tue, 9 Jun 2015 09:07:51 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 054AC1A8AAE; Tue, 9 Jun 2015 09:07:50 -0700 (PDT)
X-AuditID: 12074425-f79076d000000db5-c3-55770f54cce5
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id D9.11.03509.45F07755; Tue, 9 Jun 2015 12:07:48 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t59G7lKd014867; Tue, 9 Jun 2015 12:07:47 -0400
Received: from [192.168.3.54] ([12.217.69.145]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t59G7e0I028655 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 9 Jun 2015 12:07:42 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: multipart/signed; boundary="Apple-Mail=_4AEFC267-260D-4F00-BB82-D1BC392A3136"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.5b6
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <20150608123617.6617.42932.idtracker@ietfa.amsl.com>
Date: Tue, 09 Jun 2015 09:07:37 -0700
Message-Id: <A62D61C9-C6A0-4988-B7DC-73B39F69FCD5@mit.edu>
References: <20150608123617.6617.42932.idtracker@ietfa.amsl.com>
To: Barry Leiba <barryleiba@computer.org>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrFKsWRmVeSWpSXmKPExsUixCmqrRvCXx5q8H66rMWhxZdYLc5uus1u sWJ5ucWLxTuZLWb8mchscXvuSjaLk29fsTmwe7Ss6mX2WLLkJ1MAUxSXTUpqTmZZapG+XQJX xtyfU9kL7qtXXDx0m7WB8ZBCFyMnh4SAicSqM+vYIWwxiQv31rN1MXJxCAksZpJY9nMOE4Sz gVHifONyVghnNZNET8MysBZhgXSJ4w/fsoHYvAJ6Eo+ePmYHKWIWmMIo8fDEPSaIuVISTa+P MYLYbAKqEtPXtADFOTg4BRwlvs0IBwmzCKhIrPn5gwWi9xejxJMjO9khhlpJfJzbDNYrJOAg cek9SBEnh4iApsTzz1PA5kgIyEp83So3gVFwFpIzZiE7AyTBLKAtsWzha2YIW1Nif/dyFghb XmL72zlQcUuJxTNvQMVtJW71LYDqtZN4NG0R6wJGjlWMsim5Vbq5iZk5xanJusXJiXl5qUW6 Fnq5mSV6qSmlmxhB0cbuorqDccIhpUOMAhyMSjy8JxTKQoVYE8uKK3MPMUpyMCmJ8przlIcK 8SXlp1RmJBZnxBeV5qQWH2JUAdr1aMPqC4xSLHn5ealKIrx7nwC18qYkVlalFuXDlElzsCiJ 8276wRciJJCeWJKanZpakFoEk5Xh4FCS4M3lA1ogWJSanlqRlplTgpBm4uA8xCjBwQM0/Ccv UA1vcUFibnFmOkT+FKOilDjvNZCEAEgiozQPrheWJF8xigO9JcyrBLKCB5hg4bpfAQ1mAhq8 kBlscEkiQkqqgbGivi028mk5o2d5/BLvA/NXNy9hWN7xT7ss4pnebyWuOaoZBn77q5+KyLar 39Pirsy6X/fucK/fsWkaziLxijxLIgx1mneFHvnQqL1vU3LAjw13CyX5TORXPLuzfI79G8Hq eSGLXlnv6rFykopsa3u3417XzMBGobSKZrElBwJrZVIeKUZYKrEUZyQaajEXFScCACBXRIlt AwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/TAkxnBPkRUyYuzIL3k5plQHNGGw>
Cc: draft-ietf-oauth-introspection@ietf.org, draft-ietf-oauth-introspection.ad@ietf.org, oauth-chairs@ietf.org, draft-ietf-oauth-introspection.shepherd@ietf.org, The IESG <iesg@ietf.org>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-introspection-09: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2015 16:07:54 -0000
Barry, thanks for the review. Responses inline. > On Jun 8, 2015, at 5:36 AM, Barry Leiba <barryleiba@computer.org> wrote: > > Barry Leiba has entered the following ballot position for > draft-ietf-oauth-introspection-09: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > All of the stuff below is fairly minor and isn't blocking... but I would > like to discuss with you any items that you disagree with, please. > > -- Section 1 -- > > This specification defines an interoperable web API > > How is that different from, "This specification defines an API"? I don't > know why a web API differs from any other kind of API, nor what makes an > API particularly interoperable. That said, this document appears not to > be defining an API at all... it seems to be defining a protocol. Why do > you think it's an API? > I’m fine with just calling it a protocol, I don’t want people to garden-path on it. > -- Section 2 -- > > The introspection endpoint MUST be protected by a transport-layer > security mechanism as described in Section 4. > > I know what it means for a communication path to be protected by TLS, but > I don't know what it means for an endpoint to be. Can you explain that? The gist is simple: It must be served over HTTPS, not HTTP. > > -- Section 2.1 -- > The server MUST support POST, and MAY support GET. What's the value in > that? I don't see any way for a client (I mean HTTP client, not Oauth > client, here) to know, so all clients will have to send POST to be sure > it will work. Are you really expecting to have clients that want to ask > this, but that can't send POST? Given that you call out privacy concerns > with GET, I don't see why it's there at all. > GET is a deployment optimization that some servers will offer, and the OAuth client will tell the HTTP client which verb to use. The OAuth client might know through configuration (assuming a tighter coupling than defined by the interoperable protocol) > -- Section 2.2 -- > The definition of "scope" is odd, because I think you mean that it's a > single JSON string, and that the content of the string is a > space-separated list of scope values... it's not actually multiple JSON > strings, right? > You are correct in your reading and that’s a better way to state that, thank you. > -- Section 3.1 -- > I'd REALLY like to see us stop trying to tell IANA how to handle review > by designated experts. This should be re-cast as instructions to the DE > (to make sure that the mailing list is consulted), and IANA should be > left to handle the expert review with their existing process, which works > fine. > > While we're at it, it would be nice to have some further instruction to > the DEs about what they should be looking at when deciding whether to > approve a request. There's some very minimal instruction under "name" in > the template, but that's all. Is there nothing more to say? > > -- References -- > Because many of the items in the response are defined in RFC 7519, I > think that RFC should be a normative reference. > > That’s a fair comment, I’ll change that. Thank you, — Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Barry Leiba's No Objection on draft-ie… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Kathleen Moriarty
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Justin Richer
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Justin Richer
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Justin Richer