[OAUTH-WG] FW: Review of the Dynamic Registration Draft
"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Tue, 04 June 2013 13:37 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36D3A21F9DE2 for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 06:37:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pc8M+QxN0wUx for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 06:37:30 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 4F6AC21F9A37 for <OAuth@ietf.org>; Tue, 4 Jun 2013 05:06:36 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r54C6ZRZ015268 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <OAuth@ietf.org>; Tue, 4 Jun 2013 14:06:35 +0200
Received: from USCHHTC002.nsn-intra.net ([10.159.161.15]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r54C6Xun004713 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <OAuth@ietf.org>; Tue, 4 Jun 2013 14:06:34 +0200
Received: from USCHHTC004.nsn-intra.net (10.159.161.17) by USCHHTC002.nsn-intra.net (10.159.161.15) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 4 Jun 2013 07:06:32 -0500
Received: from USCHMBX001.nsn-intra.net ([169.254.1.6]) by USCHHTC004.nsn-intra.net ([10.159.161.17]) with mapi id 14.03.0123.003; Tue, 4 Jun 2013 07:06:32 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: "OAuth@ietf.org" <OAuth@ietf.org>
Thread-Topic: Review of the Dynamic Registration Draft
Thread-Index: Ac5hFZGg59iSssXlQAmTL7tr4RW9MgABlBew
Date: Tue, 04 Jun 2013 12:06:32 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2A9F1480@USCHMBX001.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.159.42.126]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 3817
X-purgate-ID: 151667::1370347595-000017BA-AE8FDDB4/0-0/0-0
Subject: [OAUTH-WG] FW: Review of the Dynamic Registration Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 13:37:44 -0000
Re-send: my earlier mail seems to have gotten lost. -----Original Message----- From: Tschofenig, Hannes (NSN - FI/Espoo) Sent: Tuesday, June 04, 2013 2:21 PM To: 'OAuth@ietf.org' Subject: Review of the Dynamic Registration Draft Dear draft authors, Dear working group, I read through the dynamic registration draft and here a few observations I have made: * The 'Initial Access Token' is really more a developer identifier. If you give it a different name then it might be more intuitive for the reader since the current wording is a bit fuzzy. For example, in Section 1.3 you only hint to the fact that this identifier refers to the developer later in the text. * From the description I have problems understanding the value of the "Registration Access Token". I believe you can accomplish exactly the same security benefits if you just use the client credentials instead. Do I see this wrong? * OAuth 2.0 supports a number of authorization grants and I have assumed that the dynamic client registration would focus on the authorization code grant. To my surprise the implicit grant also seems to be supported. The implicit grant has weak security properties and it's usage should actually be discouraged. Why would you want to support the implicit grant for the dynamic client registration? * There is a lot of RFC 2119 language in the document but it is used in a way that does not relate to protocol interoperability. Every time you write SHOULD or MAY think about whether a developer could write some useful code. Just to give you an example: " client_name Human-readable name of the Client to be presented to the user. If omitted, the Authorization Server MAY display the raw "client_id" value to the user instead. " First, in this sentence what is presented to the user isn't really part of protocol interoperability. So, I wouldn't use RFC 2119 language here. What is necessary for protocol interoperability is whether the field is optional/mandatory to send by the client-side, and optional/mandatory to understand on the server-side. Additionally, do you think that an end user will likely see a lot of meaning in the client_id, which is a random string. What is the end user supposed to use that information for? Another example: " Extensions and profiles of this specification MAY expand this list, but Authorization Servers MUST accept or ignore all parameters on this list. The Authorization Server MUST ignore any additional parameters sent by the Client that it does not understand. " In the first sentence you don't want to use RFC 2119 language either. If there are ways to extend the functionality via registries then point to the sections that explain how to extend it. The next two sentences are confusing. It seems that you want to have any additional parameter to be purely optional for the authorization server to understand. That's fine but what does this sentence then mean: "Authorization Servers MUST accept or ignore all parameters on this list."? * An editorial issue: There is an excessive usage of capitalization in the document. If you look at previously published RFCs in the OAuth working group you will noticed that the RFC editor changes those to lower-case. For example, just use authorization server instead of Authorization Server. Same for Client, Developer, etc. Ciao Hannes PS: I obviously noticed that the WGLC had trigger some discussion. In some sense that's good since this is what WGLCs are for. On the other hand it would be good to reach an agreement on the open issues.
- [OAUTH-WG] Review of the Dynamic Registration Dra… Tschofenig, Hannes (NSN - FI/Espoo)
- [OAUTH-WG] FW: Review of the Dynamic Registration… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] FW: Review of the Dynamic Registra… Justin Richer