IETF Logo Mail Archive

Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)

Ben Campbell <ben@nostrum.com> Fri, 03 August 2018 20:39 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A86A130F25; Fri, 3 Aug 2018 13:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKrzyVwUYlTR; Fri, 3 Aug 2018 13:39:03 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A995C1310DC; Fri, 3 Aug 2018 13:39:02 -0700 (PDT)
Received: from [10.0.1.95] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w73Kcwxw001693 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 3 Aug 2018 15:38:59 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.95]
From: Ben Campbell <ben@nostrum.com>
Message-Id: <8CBE7CF0-04A4-4412-9749-A33B29F81638@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_FFD72AF8-007D-4D97-A728-0E995756D7E6"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 03 Aug 2018 15:38:56 -0500
In-Reply-To: <CAAP42hBcF524kXtuQJY9-GMgXwsNM5NW44AyGM8nBTtF28PAWA@mail.gmail.com>
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth <oauth@ietf.org>, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow@ietf.org
To: William Denniss <wdenniss=40google.com@dmarc.ietf.org>
References: <153315936951.22029.4751693198552667112.idtracker@ietfa.amsl.com> <CAAP42hBcF524kXtuQJY9-GMgXwsNM5NW44AyGM8nBTtF28PAWA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UePe7U8x42utEJWqAesaaIuOXFI>
Subject: Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 20:39:05 -0000

Hi, thanks for the response. Comments inline. I removed sections that seem resolved.

Ben.

> On Aug 2, 2018, at 4:56 PM, William Denniss <wdenniss=40google.com@dmarc.ietf.org> wrote:
> 

[…]

> Major Comment:
> 
> I support Mirja's DISCUSS. (Otherwise, this would be a DISCUSS), but I have a
> slightly different spin on it. The device polls the server while waiting on the
> user to take action. Users are notoriously slow about that sort of thing. They
> might plug in a device then walk away for hours, days, or forever.  Now,
> consider that we are talking about IoT devices, so there may be millions of
> them. If they are fate shared in some way (imagine shipping day for a new
> popular product, or a software update that forces reauthorization, or a server
> coming back online after getting whacked the last time around), there could be
> millions of them trying this at the roughly the same time.
> 
> Given all that, I think the draft really needs to give more detailed guidance
> on what sort of refresh rates, maximum attempts, expirations, back off
> patterns, etc might be reasonable from both network congestion and server
> overload perspectives.
> 
> Version 12 adds defaults for the interval, documents slow_down behavior, and now requires that an expiry time is given (previously this was optional).
> 
> Regarding maximum attempts, as that is a function of interval and the expiry the AS can decide this (and also has the slow_down mechanism if they need).

That all helps. But I think it would be useful to have some guidance about how one should choose these values, or what things people should think about. Do you think the defaults are good for most cases? Are there situations that would warrant faster or slower polling? I’m not asking for anything complex or normative. (Also, keep in mind this is a non-blocking comment. If people don’t think the additional work is worthwhile, then so be it.)


> 
> 
> Other Substantive Comments:

[…]
> 
> §3.3, last paragraph: The "NOT RECOMMENDED" seems overly strong, given that the
> next section describes a perfectly good way to do exactly that. Maybe something
> like "NOT RECOMMENDED unless the device uses a non-textual mechanism for
> conveying the URL and code, such as that described in ..." would make sense?
> 
> The next section uses `verification_uri_complete` which is separate to `verification_uri`, this NOT RECOMMENDED refers to the latter only. Also the text immediately following the block you quoted reads "The next section documents user interaction with "verification_uri_complete", which is designed to carry this information." Even devices that use the non-textual mechanism may also display the vanilla `verification_uri` and user_code as a fallback, as Figure 3 shows, and so this NOT RECOMMENDED still applies to the `verification_uri` that they display.
> 
> Figure 3 was updated to indicate that the user either scans the QR code *or* follows the fallback options.
> 
> 

Okay.

[…]

v2.23.0 | Report a Bug | By Email