Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-09.txt

Nat Sakimura <sakimura@gmail.com> Thu, 05 February 2015 03:56 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C44A51A032D for <oauth@ietfa.amsl.com>; Wed, 4 Feb 2015 19:56:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okrwah2089t9 for <oauth@ietfa.amsl.com>; Wed, 4 Feb 2015 19:56:11 -0800 (PST)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A9B01A0235 for <oauth@ietf.org>; Wed, 4 Feb 2015 19:56:11 -0800 (PST)
Received: by mail-ob0-f179.google.com with SMTP id wp4so5084295obc.10 for <oauth@ietf.org>; Wed, 04 Feb 2015 19:56:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=I7FEv2GcEa3CrkZBSI7q4iIVPksCpONIRSKQdjhm2A4=; b=cTpBSd4mj11jJbTs0qlDw9xF2nFEyBVAiXKHem9l6bFoivVkIQxmleMTOJ1BlquwUe wSBryQQV7nqUyCSVNOs2NifqZ3oib7JPoE2uFOUgQEzlmzT5iE4gzRAcFOOy+dSx6z6H iNIKYAHJvaoq2Rqvq12V2sF2upzhmcdnkRba2xVAkC/bUBtb2jeW5oMFdGz+4qyID6g8 pv3ClKejWqsWOePeh8MVcheJYZZGynQXBwUPogmLvRAnWTcKNfGF33o5NfmXgPEtJ9Ad uRtNjkBIlqnd+JXQfnXHxU42xsSb+CBo0VctUgU3DK/TA7VAqYdvckAF9d0Zgha9GZZb a/Gw==
MIME-Version: 1.0
X-Received: by 10.182.210.197 with SMTP id mw5mr1086933obc.26.1423108558115; Wed, 04 Feb 2015 19:55:58 -0800 (PST)
Received: by 10.60.171.196 with HTTP; Wed, 4 Feb 2015 19:55:58 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E12851EBA8C3@WSMSG3153V.srv.dir.telstra.com>
References: <20150204234040.19482.87437.idtracker@ietfa.amsl.com> <255B9BB34FB7D647A506DC292726F6E12851EBA8C3@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 5 Feb 2015 12:55:58 +0900
Message-ID: <CABzCy2CzZnkBHeiyF8c4nJGjiOWZpzFAKHPmS6DR7FbyvMkHGw@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary=001a11c29be8155a80050e4f486f
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/X5zOV4Z-NHA4KOT463o3mo8ZypU>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-09.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2015 03:56:13 -0000

2015-02-05 10:43 GMT+09:00 Manger, James <James.H.Manger@team.telstra.com>om>:

> >     Title           : Proof Key for Code Exchange by OAuth Public Clients
> >       Filename        : draft-ietf-oauth-spop-09.txt
> > https://tools.ietf.org/html/draft-ietf-oauth-spop-09
>
>
> Some nits on this draft:
>
> 1. 42 chars.
> The lower limit of 42 chars for code_verifier: is not mentioned in prose
> (just the upper limit); is too high (128-bits=22-chars is sufficient); and
> doesn't correspond to 256-bits (BASE64URL-ENCODE(32 bytes) gives 43 chars,
> not 42).
>

Thanks for pointing out.


>
> 2.
> Quotes around "code_verifier" and "code_challenge" in prose are okay,
> though not really necessary as the underscore is enough to distinguish them
> as technical labels. Quotes around these terms in formula is bad as it
> looks like the formula applies to the 13 or 14 chars of the label. The
> quoting is also used inconsistently.
> Suggestion: remove all quotes around "code_verifier" and "code_challenge"
> in prose and formula.
> For example, change ASCII("code_verifier") to ASCII(code_verifier).
>

They are actually put in by the tools automagically.
In XML, it is <spanx style="verb"> </spanx>, and if HTML is compiled from
it, it will appear in fixed width type.
However, the xml2txt converter at the tools.ietf.org does convert them to
quoted strings.
We have also found other nits due to the tools and trying to figure out
what to do.
It may end up modifying the text to avoid those tools issues.

>
>
> 3.
> Two ways to check code_verifier are given in appendix B, whereas only one
> of these is mentioned in section 4.6.
>   SHA256(verifier) === B64-DECODE(challenge)
>   B64-ENCODE(SHA256(verifier)) === challenge
>
> I suggest only mentioning the 2nd (change 4.6 to use the 2nd, and drop the
> 1st from appendix B). It is simpler to mention only one. It also means
> base64url-decoding is never done, and doesn't need to be mentioned in the
> spec.
>

Good point.


>
>
> 4.
> Expand "MTI" to "mandatory to implement".
>

Will do.


>
> P.S. Suggesting code challenge method names not exceed 8 chars to be
> compact is a bit perverse given the field holding these values has the long
> name "code_challenge_method" ;)
>

Yup.


>
> --
> James Manger
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en