Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revocation-04.txt
George Fletcher <gffletch@aol.com> Mon, 07 January 2013 16:25 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 360EC11E80C5 for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2013 08:25:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03qLUjqKeGJv for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2013 08:25:24 -0800 (PST)
Received: from imr-ma06.mx.aol.com (imr-ma06.mx.aol.com [64.12.78.142]) by ietfa.amsl.com (Postfix) with ESMTP id 11A4111E80B8 for <oauth@ietf.org>; Mon, 7 Jan 2013 08:25:24 -0800 (PST)
Received: from mtaout-mb04.r1000.mx.aol.com (mtaout-mb04.r1000.mx.aol.com [172.29.41.68]) by imr-ma06.mx.aol.com (Outbound Mail Relay) with ESMTP id 524031C0000EC; Mon, 7 Jan 2013 11:25:23 -0500 (EST)
Received: from palantir.office.aol.com (palantir.office.aol.com [10.181.186.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-mb04.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 00A58E000099; Mon, 7 Jan 2013 11:25:22 -0500 (EST)
Message-ID: <50EAF6F2.90407@aol.com>
Date: Mon, 07 Jan 2013 11:25:22 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: OAuth WG <oauth@ietf.org>
References: <20130107120057.29202.70722.idtracker@ietfa.amsl.com> <50EABAB0.4060807@lodderstedt.net> <50EAF409.80704@aol.com> <50EAF568.8000201@lodderstedt.net>
In-Reply-To: <50EAF568.8000201@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------000500010204090900030308"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1357575923; bh=VRk1hRGWzs8mNwB+mv+NtjYXoy4F85LXVeORM6XCfMw=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=RlgOgt59pm2Bx2VJqCE7H2s1rU3Fsvsa6DJ3An1Gqprv554yyBtUAXMHiy9Eqr3gI Lqqlus9TMaOkrNUt3QRzTNQr//mx6kQED/AY/U/ErwawtTvFtwNjWKvnX3RF7xLnQW ISgacWHvxdc/xbjEke2gvNn5A90LPuDOiJX3hFX8=
X-AOL-SCOLL-SCORE: 0:2:523196608:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d294450eaf6f211ce
X-AOL-IP: 10.181.186.254
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revocation-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2013 16:25:25 -0000
My concern with leaving both specs separated is that over time the semantics of the two error codes could diverge and that would be confusing for developers. If we don't want to create a dependency on RFC 6750, then I would recommend a change to the error code name so that there is no name collision or confusion. Thanks, George On 1/7/13 11:18 AM, Torsten Lodderstedt wrote: > Hi George, > > thank you for pointing this out. Your proposal sounds reasonable > although the revocation spec does not build on top of RFC 6750. > > As refering to RFC 6750 would create a new dependency, one could also > argue it would be more robust to leave both specs separated. > > What do others think? > > regards, > Torsten. > Am 07.01.2013 17:12, schrieb George Fletcher: >> One quick comment... >> >> Section 2.0: Both RFC 6750 and this specification define the >> 'invalid_token' error code. >> >> Should this spec reference the error code from RFC 6750? >> >> Thanks, >> George >> >> >> On 1/7/13 7:08 AM, Torsten Lodderstedt wrote: >>> Hi, >>> >>> the new revision is based on the WGLC feedback and incorporates the >>> following changes: >>> >>> - renamed "access grant" to "authorization" and reworded parts of >>> Abstract and Intro in order to better align with core spec wording >>> (feedback by Amanda) >>> - improved formatting of section 2.1. (feedback by Amanda) >>> - improved wording of last paragraph of section 6 (feedback by Amanda) >>> - relaxed the expected behavior regarding revocation of related >>> tokens and the authorization itself in order to remove unintended >>> constraints on implementations (feedback by Mark) >>> - replaced description of error handling by pointer to respective >>> section of core spec (as proposed by Peter) >>> - adopted proposed text for implementation note (as proposed by Hannes) >>> >>> regards, >>> Torsten. >>> >>> Am 07.01.2013 13:00, schrieb internet-drafts@ietf.org: >>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>> directories. >>>> This draft is a work item of the Web Authorization Protocol >>>> Working Group of the IETF. >>>> >>>> Title : Token Revocation >>>> Author(s) : Torsten Lodderstedt >>>> Stefanie Dronia >>>> Marius Scurtescu >>>> Filename : draft-ietf-oauth-revocation-04.txt >>>> Pages : 8 >>>> Date : 2013-01-07 >>>> >>>> Abstract: >>>> This document proposes an additional endpoint for OAuth >>>> authorization >>>> servers, which allows clients to notify the authorization >>>> server that >>>> a previously obtained refresh or access token is no longer needed. >>>> This allows the authorization server to cleanup security >>>> credentials. >>>> A revocation request will invalidate the actual token and, if >>>> applicable, other tokens based on the same authorization. >>>> >>>> >>>> >>>> The IETF datatracker status page for this draft is: >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation >>>> >>>> There's also a htmlized version available at: >>>> http://tools.ietf.org/html/draft-ietf-oauth-revocation-04 >>>> >>>> A diff from the previous version is available at: >>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-revocation-04 >>>> >>>> >>>> Internet-Drafts are also available by anonymous FTP at: >>>> ftp://ftp.ietf.org/internet-drafts/ >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-revocatio… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… George Fletcher
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Anthony Nadalin
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Justin Richer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Mike Jones
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Peter Mauritius
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… George Fletcher
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Peter Mauritius
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… George Fletcher
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-revoc… Peter Mauritius