[OAUTH-WG] Opsdir last call review of draft-ietf-oauth-device-flow-10

Qin Wu <bill.wu@huawei.com> Tue, 12 June 2018 11:25 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D0197130E2C; Tue, 12 Jun 2018 04:25:36 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Qin Wu <bill.wu@huawei.com>
To: ops-dir@ietf.org
Cc: draft-ietf-oauth-device-flow.all@ietf.org, ietf@ietf.org, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.81.2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152880273680.9205.1844934984494262436@ietfa.amsl.com>
Date: Tue, 12 Jun 2018 04:25:36 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TIoYq0d3SnlPHkgSgT32Ab_NrS4>
Subject: [OAUTH-WG] Opsdir last call review of draft-ietf-oauth-device-flow-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 11:25:37 -0000

Reviewer: Qin Wu
Review result: Ready

I have reviewed this document as part of the Operational directorate¡¯s ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving the operational aspects of
the IETF drafts. Comments that are not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs should
treat these comments just like any other last call comments. Document reviewed:
 draft-ietf-oauth-device-flow

Summary:
This document defines device flow among browserless and input constrained
devices, end user at browser and authorization server. This device flow allows
OAuth clients to request user authorization from devices that have an Internet
connection, but don't have an easy input method. This document is well written,
especially security consideration section. I think it is ready for publication.

Major issue: None
Minor issue: Editorial
Section 3.3.1
The short name for NFV needs to be expanded, maybe add reference.
QR code also needs to be expanded.
Section 3.5:
Who is token endpoint, how token endpoint is related to authorization server?
Would it be great to add some clarification text about this. Section 4: Would
it be great to clarify the relationship between device_authorization_endpoint
defined in this document and authorization_endpoint defined in
draft-ietf-oauth-discovery-10 and explain why authorization_endpoint is not
sufficient,e.g., draft-ietf-oauth-discovery-10 has already defined
authorization server metadata value authorization_endpoint, however ¡­¡­