[OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-token-exchange-16: (with DISCUSS and COMMENT)
Alissa Cooper <alissa@cooperw.in> Tue, 20 November 2018 19:50 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 055F1130DCF; Tue, 20 Nov 2018 11:50:44 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alissa Cooper <alissa@cooperw.in>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-oauth-token-exchange@ietf.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth-chairs@ietf.org, rifaat.ietf@gmail.com, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.89.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <154274344398.29963.11727425335350408375.idtracker@ietfa.amsl.com>
Date: Tue, 20 Nov 2018 11:50:43 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TLgBN17A5KJEcfX1VRcvKFYQMOo>
Subject: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-token-exchange-16: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 19:50:44 -0000
Alissa Cooper has entered the following ballot position for draft-ietf-oauth-token-exchange-16: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Section 6: The requirements around confidentiality here are weaker than in both RFC 7519 Sec. 12 and RFC 6749 Sec. 10.8. Why? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 3: If I understand this correctly: "The distinction between an access token and a JWT is subtle." I think it would be clearer if it said: "The distinction between an access token type and a JWT token type is subtle." Section 4.1: What is the value of maintaining the whole delegation chain rather than expressing just the most recent delegation? Doesn't it potentially expose information about past exchanges unnecessarily?
- [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-… Alissa Cooper
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… George Fletcher
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-i… Brian Campbell