Re: [OAUTH-WG] [Gen-art] Genart last call review of draft-ietf-oauth-device-flow-10

William Denniss <wdenniss@google.com> Tue, 31 July 2018 16:07 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54CE0130DD9 for <oauth@ietfa.amsl.com>; Tue, 31 Jul 2018 09:07:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.61
X-Spam-Level:
X-Spam-Status: No, score=-15.61 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ApO4L9dFVk5 for <oauth@ietfa.amsl.com>; Tue, 31 Jul 2018 09:07:02 -0700 (PDT)
Received: from mail-ua0-x244.google.com (mail-ua0-x244.google.com [IPv6:2607:f8b0:400c:c08::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B2DA130E35 for <oauth@ietf.org>; Tue, 31 Jul 2018 09:07:00 -0700 (PDT)
Received: by mail-ua0-x244.google.com with SMTP id g18-v6so10633830uam.6 for <oauth@ietf.org>; Tue, 31 Jul 2018 09:07:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MR7ePojU1jZPeHSe3+23Pr4XUEbGzgzlyJevr3CmgtY=; b=LLwG3ie8RS17CAPEBj/1DrNM35ep1+Zd1RoCAmLIDdOv2wRrk9c95DSgjNKVud8fVy kLVujns8O0y5r8u10sHlmdnZEw+fyQfBKgcbod/g6VXqU3KkaBGxo1HZZWfN6fmbxoHB xMAr/UkdKlSdde74u5oflPEh8JN9sPwUd77ABUtubhN1ZUJA6BeWQ68XJHDxN2Ozlqcf MmSE1el+cBLH68YaUMK7kHNdYz3i8xI0+wIXdSsNP4Txug7Op5ILw88+hDmJQHEECIEy Wi2upC2TQahtslY55UUtTyU4gYKkL0FV695e8T6yVUnuwJUOAs2GBVurkxTqhO1cammC Y9iQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MR7ePojU1jZPeHSe3+23Pr4XUEbGzgzlyJevr3CmgtY=; b=r1uFBMuvEkV7Dvd7q0baW2OICQ6FPVQCKu5+MzKb0u5bCKqhez3xmkS3L4DEPefK7J dE6I+NzRstlb9eojwBuemusXzd9xZ6idIdb5AOgh/GtdIiM6uGCZs+tPoTbgxmcRlw8V AW51vAMRR5hNF9M+lZ5PgDGs8s2JmVaF9MomVA3BBEQHVhLt7nN3whIQv44V1rZV5u8+ FF+yVTgqAn+sQd9PZ7mb7chBg2QhSgrKlpuVXD3zfUGsOxc8uB9qPxyT5LCQgiLk5kPE gHvPMAm16mKr6/j9QkRSH8wn2enB8a0lrNhIiA5oPA8QxXC2ay5erxKeL1M2mckQ+Y4g 58Fg==
X-Gm-Message-State: AOUpUlFHxUcRmkQuA0R6XePQBNWDqjbiw1oqdTwiQ+afNZgIurY/FsNq YiOAg8UE2ZYlhY43lddNpxLBNI7Drcf6mSu0Khe0UQ==
X-Google-Smtp-Source: AAOMgpdmGUHtjX/Ug6kaLO1oCtRPCEw2sadeHfIuCZVIHXb5qmD8pkB2LMUeBKr3Td5Iy8QcsZL33WMO5wDxHTXeRb4=
X-Received: by 2002:ab0:4987:: with SMTP id e7-v6mr15859373uad.198.1533053218673; Tue, 31 Jul 2018 09:06:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:185a:0:0:0:0:0 with HTTP; Tue, 31 Jul 2018 09:06:38 -0700 (PDT)
In-Reply-To: <CB9FD96F-EED3-4D09-B744-B576052D52CE@cooperw.in>
References: <152873404689.2672.12557627140070509936@ietfa.amsl.com> <c53a8e8f-7873-3c5a-aa6f-3e0a896c9a88@nostrum.com> <CB9FD96F-EED3-4D09-B744-B576052D52CE@cooperw.in>
From: William Denniss <wdenniss@google.com>
Date: Tue, 31 Jul 2018 09:06:38 -0700
Message-ID: <CAAP42hDOcViyK6=faz+azP_E680T3ozS5bOLrjooCy1dKZfg4w@mail.gmail.com>
To: Alissa Cooper <alissa@cooperw.in>
Cc: Robert Sparks <rjsparks@nostrum.com>, General Area Review Team <gen-art@ietf.org>, draft-ietf-oauth-device-flow.all@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000085dcaa05724dc42d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WpJ3QtInBkYyJ1PIEoreabFNOi4>
Subject: Re: [OAUTH-WG] [Gen-art] Genart last call review of draft-ietf-oauth-device-flow-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jul 2018 16:07:05 -0000

Thank you Robert, and Alissa, we really appreciate you feedback. My
co-authors and I are processing yours and all the feedback received so far.
We'll reply to your points in the coming days.


On Tue, Jul 31, 2018 at 8:58 AM, Alissa Cooper <alissa@cooperw.in>; wrote:

> Robert, thanks for your review. I have pointed to it in my No Objection
> ballot.
>
> Alissa
>
> > On Jul 20, 2018, at 1:37 PM, Robert Sparks <rjsparks@nostrum.com>; wrote:
> >
> > As far as I can tell, there has been no response to this. The document
> revision just updated a reference to reflect an rfc having been published.
> >
> > Apologies if I missed a response.
> >
> > RjS
> >
> >
> > On 6/11/18 12:20 PM, Robert Sparks wrote:
> >> Reviewer: Robert Sparks
> >> Review result: Ready with Nits
> >>
> >> I am the assigned Gen-ART reviewer for this draft. The General Area
> >> Review Team (Gen-ART) reviews all IETF documents being processed
> >> by the IESG for the IETF Chair.  Please treat these comments just
> >> like any other last call comments.
> >>
> >> For more information, please see the FAQ at
> >>
> >> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>;.
> >>
> >> Document: draft-ietf-oauth-device-flow-10
> >> Reviewer: Robert Sparks
> >> Review Date: 2018-06-11
> >> IETF LC End Date: 2018-06-12
> >> IESG Telechat date: Not scheduled for a telechat
> >>
> >> Summary: Ready for publication as a Proposed Standard RFC, but with
> nits to
> >> consider
> >>
> >> Nits/editorial comments:
> >>
> >> In 3.5 "the client MUST use a reasonable default polling interval" is
> not
> >> testable. Who determines "reasonable"? At the very least, you should
> add some
> >> text about how to determine what "reasonable" is for a given device,
> and add
> >> some text that says don't poll faster than earlier responses limited
> you to.
> >> For example, if the response at step B in the introductory diagram had
> an
> >> explicit interval of 15, but a slow-down response to an E message
> didn't have
> >> an explicit interval, you don't want them to default to, say 5 seconds
> (because
> >> that's what the example in section 3.2 said, so it must be reasonable).
> >>
> >> In 3.3, you say the device_code MUST NOT be displayed or communicated.
> Is there
> >> a security property that's lost if there is? Or is this just saying
> "Don't
> >> waste space or the user's time"?
> >>
> >> The last paragraph of section 6.1 feels like a recipe for false
> positives, and
> >> for bug-entrenched code. Please reconsider it.
> >>
> >> You need line-folding in the example in section 3.2
> >>
> >>
> >> _______________________________________________
> >> Gen-art mailing list
> >> Gen-art@ietf.org
> >> https://www.ietf.org/mailman/listinfo/gen-art
> >
> > _______________________________________________
> > Gen-art mailing list
> > Gen-art@ietf.org
> > https://www.ietf.org/mailman/listinfo/gen-art
>
>