[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment VI

Brian Campbell <bcampbell@pingidentity.com> Mon, 23 April 2012 22:55 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09BEE11E809D for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 15:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.938
X-Spam-Level:
X-Spam-Status: No, score=-5.938 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hLilenp9io5 for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 15:55:26 -0700 (PDT)
Received: from na3sys009aog101.obsmtp.com (na3sys009aog101.obsmtp.com [74.125.149.67]) by ietfa.amsl.com (Postfix) with ESMTP id 2C55211E8072 for <oauth@ietf.org>; Mon, 23 Apr 2012 15:55:26 -0700 (PDT)
Received: from mail-vb0-f41.google.com ([209.85.212.41]) (using TLSv1) by na3sys009aob101.postini.com ([74.125.148.12]) with SMTP ID DSNKT5Xd3WhToeFNOSzTLYQhV+NWQaFxrWOF@postini.com; Mon, 23 Apr 2012 15:55:26 PDT
Received: by vbbey12 with SMTP id ey12so64615vbb.14 for <oauth@ietf.org>; Mon, 23 Apr 2012 15:55:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type :x-gm-message-state; bh=x95KWIc3VzVSw8GBOHQELjeJNjVyG+eJ6kpqoASLjlk=; b=eB00ZlBQigapGWaBIg6zQxzNNs+tWULqv5Wqc6Ooob8285q1eFxYLsWyfhMVINa2R5 6v300D8uYEfqn7N9ygOqRBmRZY3AaiMe4mBFNV21xGv94HrkdbXYDabpGWIXJ5iCqHuy 1d8Nn7k97q069n/9jrARAIg89Lgc8qIV1zoUqbYVvXVpQQylDyd87j/uXzqXcz3CwFv+ ua7uYYo0Y+BUIFu1nPeuagVdODfv3HAHvHyke0dSPCKP4LLXKlAmZzTo2mei80TLON2p p45nA3Ycpq8LxXnNkJUYetj9YAXPx7mYOZFEZgIkOhACcFuLTB69H7F9W89O7KjmlM60 lG2w==
Received: by 10.52.69.144 with SMTP id e16mr14773183vdu.65.1335221724380; Mon, 23 Apr 2012 15:55:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.38.104 with HTTP; Mon, 23 Apr 2012 15:54:54 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Apr 2012 16:54:54 -0600
Message-ID: <CA+k3eCS4FrfPqS9P9BGYhRMnA0AVE0_-qhmS2quS6veCLX=gFA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=20cf3071cdce93fd0d04be6088a1
X-Gm-Message-State: ALoCoQk/8nO4wJF8cAFU+ZaNENAOE+gLzmWKeAxQlHAz8GryG+LPiVrq58DwLVLsh/yWd4maQoJC
Subject: [OAUTH-WG] draft-ietf-oauth-assertions WGLC comment VI
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 22:55:27 -0000

The treatment of client_id draft-ietf-oauth-assertions-01 seems a bit
inconsistent/problematic.

§4.1 & 4.2 say it's OPTIONAL.

§'s 6.1 and 6.2 have, "The client_id HTTP parameter SHOULD identify the
client to the authorization server" while 6.3 and 6.4 have, "The client_id
HTTP parameter MUST identify the client to the authorization server."  Are
these intended to be the stronger than the optional in the 4.xs?  Or to say
that it should/must identify the client, in the case that the parameter is
present?

I would suggest that all of those except the one in §4.1 be removed and
that the 4.1 one changed to say,

   "client_id  OPTIONAL.  The client identifier as described in Section 2
      of OAuth 2.0 [I-D.ietf.oauth-v2]. When present, the client_id MUST
(or SHOULD?) identify the client to the authorization server."

That would cover the client authentication cases and defer to the core spec
for authorization cases (thought it's not 100% clear, I think it says or
should say that it's optional in most cases).

I'm not sure if that meets the original intent though?