IETF Logo Mail Archive

Re: [OAUTH-WG] draft-15 editorials

Paul Madsen <paul.madsen@gmail.com> Wed, 06 April 2011 10:58 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F1EE3A68FE for <oauth@core3.amsl.com>; Wed, 6 Apr 2011 03:58:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.448
X-Spam-Level:
X-Spam-Status: No, score=-3.448 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7hG01aTIm4gH for <oauth@core3.amsl.com>; Wed, 6 Apr 2011 03:58:15 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id F13B73A68C8 for <oauth@ietf.org>; Wed, 6 Apr 2011 03:58:14 -0700 (PDT)
Received: by gyf3 with SMTP id 3so635096gyf.31 for <oauth@ietf.org>; Wed, 06 Apr 2011 03:59:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=8QPdIE5OTAv+Bc7k7mGboQRMtd0TbnryBmr+rF6FqzM=; b=IMfF7OY7PbG2equi0lPeS9MIAbVI7LMkk8C5A2jRo1iwRpWHrkLYdRyUre04hG2Vah cdaAQj0dQmTBc1hXqJrKvpfe+XFlr6UkL6MWcI8OFoU3lD4qG8Vjf5KwMUCGpJZkcCkJ o15DrgRZG4Xdnv3pigGgDkGxz+IrR6kvP36WE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; b=G0WgukmSI1Z8mCOpvqNPuJ5k+7gqMruWhgzxqpeQGIQBVTLuc70cdbECvvPyBor9oS 4r9OzF1uMgVKoqN9AbKvoMaKqbjdFwRJrbj4AVXy3pbIC61PoAoivukLFWzvWAEL9ziU j6PkT8zuX4mEkHppeEHES4XvWHwjlx3bF0Og0=
Received: by 10.100.16.17 with SMTP id 17mr617215anp.56.1302087597019; Wed, 06 Apr 2011 03:59:57 -0700 (PDT)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com [99.224.152.177]) by mx.google.com with ESMTPS id b3sm523200ana.50.2011.04.06.03.59.54 (version=SSLv3 cipher=OTHER); Wed, 06 Apr 2011 03:59:55 -0700 (PDT)
Message-ID: <4D9C47A8.30605@gmail.com>
Date: Wed, 06 Apr 2011 06:59:52 -0400
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: oauth@ietf.org
References: <255B9BB34FB7D647A506DC292726F6E11281BA9188@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B1680429673943252CE4F8@TK5EX14MBXC203.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943252CE4F8@TK5EX14MBXC203.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------000104080901080303030004"
Subject: Re: [OAUTH-WG] draft-15 editorials
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2011 10:58:19 -0000

Can we not acknowledge in the abstract that there are other applications 
for OAuth beyond the delegated authz scenario?

I tell people that OAuth 2 is more a framework than a specific protocol, 
but the current abstract belies this claim.

paul

On 4/5/11 8:57 PM, Mike Jones wrote:
>
> Also, change "which in turns directs" to "which in turn directs".
>
>                                                                 -- Mike
>
> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On 
> Behalf Of *Manger, James H
> *Sent:* Tuesday, April 05, 2011 5:51 PM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] draft-15 editorials
>
> A few, mainly editorial, points on the latest OAuth 2.0 core draft 
> [draft-ietf-oauth-v2-15]:
>
> *Abstract*: Currently it is:
>
>    The OAuth 2.0 authorization protocol enables granting third-party
>
>    applications limited access to HTTP service on behalf of an end-user
>
>    by orchestrating an approval interaction between the end-user and the
>
>    HTTP service.
>
> This sentence is confusing as to whom is doing the orchestrating. It 
> is an important OAuth feature that the 3rd-party app does this. Also 
> add "an" before "HTTP service".
>
>    The OAuth 2.0 authorization protocol enables a third-party application
>
>    to obtain limited access to an HTTP service on behalf of an end-user
>
>    by orchestrating an approval interaction between the end-user and the
>
>    HTTP service.
>
> *2.1 Authorization Endpoints*
>
>    ...when sending requests to the token endpoints
>
> should be
>
>    ...when sending requests to the authorization endpoint
>
> *7.1 Access Token Types*
>
> I suggest adding the following sentence to the end of the 1^st 
> paragraph, just to be sure a security value is not used in the wrong 
> protocol.
>
>    A client MUST NOT use an access token if it does not understand the 
> token type.
>
> *7.1 Access Token Types*
>
> Use a different access token for the Bearer and MAC examples to avoid 
> any implication that a given token can be used with either method at 
> the client's discretion. Perhaps make the example Bearer token a bit 
> longer. The current example value has at most 72 bits of entropy that 
> doesn't match the 128-bits required in 
> draft-lodderstedt-oauth-security-01#section-5.1.4.2.2.
>
>    Authorization: Bearer 7Fjfp0ZBr1KtDRbnfVdmIw
>
> *7.1 Access Token Types*
>
> The timestamp value in the MAC example corresponds to a date in 1974!
>
> --
>
> James Manger
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email