[OAUTH-WG] Fwd: Wording feedback in draft 3 of draft-ietf-oauth-v2-http-mac

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 07 May 2013 06:40 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C0F3F21F851E for <oauth@ietfa.amsl.com>; Mon, 6 May 2013 23:40:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id VCzdAfD7s97q for <oauth@ietfa.amsl.com>; Mon, 6 May 2013 23:40:20 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net []) by ietfa.amsl.com (Postfix) with ESMTP id A9C9621F8FA5 for <oauth@ietf.org>; Mon, 6 May 2013 23:40:19 -0700 (PDT)
Received: from mailout-de.gmx.net ([]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0M84Qp-1UMcxH1Y5R-00vcKx for <oauth@ietf.org>; Tue, 07 May 2013 08:40:18 +0200
Received: (qmail invoked by alias); 07 May 2013 06:40:18 -0000
Received: from a88-115-219-140.elisa-laajakaista.fi (EHLO []) [] by mail.gmx.net (mp024) with SMTP; 07 May 2013 08:40:18 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/+inQuWcn+piEGyIunaXTuhfuMx4nCL9JVfppoJH nG2S+nJjppG5rw
Message-ID: <5188A1CD.6010701@gmx.net>
Date: Tue, 07 May 2013 09:40:13 +0300
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
References: <51884195.6010706@stanford.edu>
In-Reply-To: <51884195.6010706@stanford.edu>
X-Forwarded-Message-Id: <51884195.6010706@stanford.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Subject: [OAUTH-WG] Fwd: Wording feedback in draft 3 of draft-ietf-oauth-v2-http-mac
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 06:40:25 -0000

Thanks for your feedback, Patrick.

I forwarded your review comments to the IETF OAuth mailing list. Will 
discuss it there.

-------- Original Message --------
Subject: Wording feedback in draft 3
Resent-To: hannes.tschofenig@gmx.net, jricher@mitre.org, 
Date: Mon, 06 May 2013 16:49:41 -0700
From: Patrick Radtke <pradtke@stanford.edu>
To: draft-ietf-oauth-v2-http-mac@tools.ietf.org

I'm not sure how this is usually done, but here is some feedback on
wording that I found confusing. I didn't know where to look to determine
if this feedback has already been given.

> 128	   Since a keyed message digest only provides integrity protection and
> 129	   data-origin authentication confidentiality protection can only be
> 130	   added by the usage of Transport Layer Security (TLS).

What is the 'since' implying? Usually 'since' would be used to imply an
action, but the rest of the sentence is just a statement. Maybe
"Transport Layer Security (TLS) MAY be used to provide data-origin
authentication confidentiality protection since a keyed message digest
only provides integrity protection"

> 323	   The transport of the mac_key from the authorization server to the
> 324	   resource server is accomplished by conveying the encrypting mac_key
> 325	   inside the access token.

The phrase 'encrypting mac_key' is confusing, maybe because its a typo?
Is that suppose to be 'encrypted mac_key' or 'conveying the mac_key
inside the encrypted access token'?

> 591	       the token).  The content of the access token, in particular the
> 592	       audience field and the scope, MUST be verified as described in

There is no reference after 'in'.