Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 12 April 2013 22:40 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1814021F8EF2 for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2013 15:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGvDsTxA-z1T for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2013 15:40:05 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 22C6F21F85B3 for <oauth@ietf.org>; Fri, 12 Apr 2013 15:40:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E802CBE61; Fri, 12 Apr 2013 23:39:42 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZSuiZzqhbAlD; Fri, 12 Apr 2013 23:39:41 +0100 (IST)
Received: from [10.87.48.4] (unknown [86.45.56.45]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2F982BE5F; Fri, 12 Apr 2013 23:39:41 +0100 (IST)
Message-ID: <51688D2C.4060508@cs.tcd.ie>
Date: Fri, 12 Apr 2013 23:39:40 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: Justin Richer <jricher@mitre.org>
References: <51644F9A.9040402@cs.tcd.ie> <51687451.3020307@cs.tcd.ie> <51687697.3060602@mitre.org>
In-Reply-To: <51687697.3060602@mitre.org>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2013 22:40:06 -0000
Hiya, On 04/12/2013 10:03 PM, Justin Richer wrote: > Hi Stephen, > > I didn't respond as I didn't have anything to add to your comments, but > what little details I have are inline. Thanks:-) > On 04/12/2013 04:53 PM, Stephen Farrell wrote: >> Hi, >> >> I'm surprised there've been no responses. I thought >> there was more interest in this one. >> >> Ta, >> S. >> >> On 04/09/2013 06:27 PM, Stephen Farrell wrote: >>> Hi, >>> >>> I've done my AD review of this draft. I have two quick questions >>> I'd like to get answered before I start IETF LC. Depending on the >>> answers maybe we should re-spin or just fire ahead, let's see... >>> >>> (1) 2.1: "upon the return of the request" isn't right is it? I >>> think you mean the response at least. And what about HTTP error >>> handling? What if I get a 503 error? Is the client supposed >>> to re-send ever? Don't you need to say? > Should this read "upon receipt of an HTTP 200 response from the server" > instead? Seems like it needs some fix anyway. I'll mark the draft as revised I-D needed. > If there's a 503, the client can't assume the token is gone, > but it also probably shouldn't try spamming the endpoint, either. So what is a client supposed to do if it gets a 503? >>> (2) 2.2: what's in the response body with a 200 response? If it >>> doesn't matter please say so. > Doesn't matter. All information is conveyed in the response code. That'd be fine. But doesn't it need saying? Like I said the rest are nits. But to be clear: I think we (me and the WG) need to figure out the above before IETF LC starts. Cheers, S. > >>> >>> I see from the write-up one author hasn't confirmed there are >>> no IPR issues. I've sent a Marius a mail so hopefully we >>> can sort that as we go. >>> >>> I also have the following nits that can be fixed (if need >>> be) whenever the draft is next changed: >>> >>> - intro: "app" isn't really a great term to use, can you replace >>> with something from 6479. > "app" was chosen because the application to use here could be either the > Client or the Resource Server in RFC6749, so neither is really the right > fit. It's whoever's revoking the token. > >>> >>> - section 2: the "MAY include a query component" is sort of >>> dangling there, maybe it'd be better moved elsewhere? > Don't see where else this could fit. Basically we're saying the endpoint > URL can be defined as "/endpoint?type=revoke" just as easily as "/revoke". >>> >>> - section 2: "MUST be obtained from a trustworthy source." might >>> generate comment from IESG members who don't like using 2119 >>> terms in ways that don't affect interoperability. (I'm fine with >>> it fwiw, and have nearly cured 'em of that craze;-) Consider >>> s/MUST/need to/ here. > WFM. >>> >>> - 2.1: ought there be a registry for token_type_hint values? It >>> looks like maybe there ought be. > I think a registry is overkill for this kind of thing, but I suppose it > could be set up. It's meant to be a *hint* to the server as to what kind > of token it is. If it does get set up, the Introspection draft will use > it (if that ever can get either pulled into the WG or moved through as > an individual submission). > >>> - 2.1: "A client compliant with [RFC6749] must be prepared" was >>> that meant to be a 2119 MUST? > This is informative, not normative. You could easily replace "must" with > "needs to" here and get the same intended meaning, which is that tokens > can disappear when you're not looking. > >>> >>> - section 6: maybe s/shall/need to/ in the last para > > Same as above. > >>> >>> Cheers, >>> S. >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] AD review of draft-ietf-oauth-revocati… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Stephen Farrell