[OAUTH-WG] Genart last call review of draft-ietf-oauth-device-flow-10
Robert Sparks <rjsparks@nostrum.com> Mon, 11 June 2018 16:20 UTC
Return-Path: <rjsparks@nostrum.com>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E7385131068; Mon, 11 Jun 2018 09:20:46 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Robert Sparks <rjsparks@nostrum.com>
To: gen-art@ietf.org
Cc: draft-ietf-oauth-device-flow.all@ietf.org, ietf@ietf.org, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.81.2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152873404689.2672.12557627140070509936@ietfa.amsl.com>
Date: Mon, 11 Jun 2018 09:20:46 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WOA637zofjsaITWeLBzQ4BQof_s>
Subject: [OAUTH-WG] Genart last call review of draft-ietf-oauth-device-flow-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2018 16:20:53 -0000
Reviewer: Robert Sparks Review result: Ready with Nits I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. Document: draft-ietf-oauth-device-flow-10 Reviewer: Robert Sparks Review Date: 2018-06-11 IETF LC End Date: 2018-06-12 IESG Telechat date: Not scheduled for a telechat Summary: Ready for publication as a Proposed Standard RFC, but with nits to consider Nits/editorial comments: In 3.5 "the client MUST use a reasonable default polling interval" is not testable. Who determines "reasonable"? At the very least, you should add some text about how to determine what "reasonable" is for a given device, and add some text that says don't poll faster than earlier responses limited you to. For example, if the response at step B in the introductory diagram had an explicit interval of 15, but a slow-down response to an E message didn't have an explicit interval, you don't want them to default to, say 5 seconds (because that's what the example in section 3.2 said, so it must be reasonable). In 3.3, you say the device_code MUST NOT be displayed or communicated. Is there a security property that's lost if there is? Or is this just saying "Don't waste space or the user's time"? The last paragraph of section 6.1 feels like a recipe for false positives, and for bug-entrenched code. Please reconsider it. You need line-folding in the example in section 3.2
- [OAUTH-WG] Genart last call review of draft-ietf-… Robert Sparks
- Re: [OAUTH-WG] [Gen-art] Genart last call review … Robert Sparks
- Re: [OAUTH-WG] [Gen-art] Genart last call review … Alissa Cooper
- Re: [OAUTH-WG] [Gen-art] Genart last call review … William Denniss
- Re: [OAUTH-WG] Genart last call review of draft-i… William Denniss
- Re: [OAUTH-WG] Genart last call review of draft-i… Robert Sparks