[OAUTH-WG] Review comments on draft-ietf-oauth-pop-key-distribution-00

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 09 August 2014 16:37 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 6C7F31A0642 for <oauth@ietfa.amsl.com>; Sat, 9 Aug 2014 09:37:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.148
X-Spam-Level: *
X-Spam-Status: No, score=1.148 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 7D5QSerSJi-u for <oauth@ietfa.amsl.com>; Sat, 9 Aug 2014 09:37:03 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99E4A1A0584 for <oauth@ietf.org>; Sat, 9 Aug 2014 09:37:03 -0700 (PDT)
Received: from [] (helo=[]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1XG9dd-0006gt-Bt; Sat, 09 Aug 2014 18:37:01 +0200
Message-ID: <53E64E2D.3080007@lodderstedt.net>
Date: Sat, 09 Aug 2014 18:37:01 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/baEumN4Xar77o68Aw1J5xA4AUqU
Subject: [OAUTH-WG] Review comments on draft-ietf-oauth-pop-key-distribution-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2014 16:37:05 -0000

Hi John,

- new audience header
Why do you want to use another header/parameter to identify the target 
RS? Isn't scope sufficient to carry this information?
The text seems to be inconsistent regarding the name (aud or audience) 
and whether this is actually an header or a parameter.
I also miss the header/parameter in the example request.

- alg
I assume the client is supposed to first discovers the RS's 
capabilities. Any idea how the client should do this?

kind regards,