[OAUTH-WG] review http://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01

Leif Johansson <leifj@mnt.se> Wed, 02 January 2013 11:52 UTC

Return-Path: <leifj@mnt.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3465B21F9071 for <oauth@ietfa.amsl.com>; Wed, 2 Jan 2013 03:52:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[AWL=-0.252, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id IMYqv1Csezyc for <oauth@ietfa.amsl.com>; Wed, 2 Jan 2013 03:52:51 -0800 (PST)
Received: from mail-la0-f43.google.com (mail-la0-f43.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5E0CA21F90AF for <oauth@ietf.org>; Wed, 2 Jan 2013 03:52:50 -0800 (PST)
Received: by mail-la0-f43.google.com with SMTP id eg20so5936898lab.30 for <oauth@ietf.org>; Wed, 02 Jan 2013 03:52:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding:x-gm-message-state; bh=8rp1V1kSi1v6oQ2SY0T9RiY+Bc5CAsqxzKRYoTUmwC8=; b=OrETsZaZI7gngt4Lv5ay+3GQ4MXNEUZJmkZKKVKP6Xl3cqpfj/rSF8FKnm9DfwuSjo 2LI/0gokQ0IRRHdzFbRrELNbPcGC7Ekkyf8cpvdcWj8jbm6qY3GtsOW15mkG3FfXmyOG 7nQ7BW+Qny6GICsXoWJEUV3KB3EDYXMQNkPcOKyDVsuZGkxVwwJ4Lcawm9onHbqh4iqj Og/s5VYBPLePCHHx5SIwxZrIxAwHR0M2lnde4r0cqQ2DS69TIYgRIfG99wuMp8iuqpcD +ds2VCLQzLMAQv3kQrlO+HKdmkCVGlA1jtK+mXq4vCJwOWaihc6rccdEdbneMr3k3qIX pExA==
X-Received: by with SMTP id n2mr18498775lbb.100.1357127569896; Wed, 02 Jan 2013 03:52:49 -0800 (PST)
Received: from ?IPv6:2001:6b0:7:0:e866:6c05:2c66:5bdc? ([2001:6b0:7:0:e866:6c05:2c66:5bdc]) by mx.google.com with ESMTPS id k7sm16005594lbf.4.2013. (version=SSLv3 cipher=OTHER); Wed, 02 Jan 2013 03:52:49 -0800 (PST)
Message-ID: <50E41F8F.4060903@mnt.se>
Date: Wed, 02 Jan 2013 12:52:47 +0100
From: Leif Johansson <leifj@mnt.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQlJ4NpRZepYsr/hYaPi0vEQaTYOFBLgOgr28H6o7aCIihXDXkBnRZFcW54lvzBnrDhfhzmS
Subject: [OAUTH-WG] review http://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2013 11:52:52 -0000

Some comments in the order I discovered them...

- the term holder-of-_the_-key (my ascii-emphasis) is used when
the normal terminology is just "holder-of-key", not sure what is
added by the definite form...
- s/incredients/ingredients/g
- say "a mechanism for secure and scalable key management" in 1 (1)
instead of using the word "dynamic" which is pretty vague.
- the wording in 3.1 makes it a bit hard to tell when you're talking about
HotK or stock OAUTH.
- "profile" seems like too generic term to spend what is essentially a
choice of key format.
- in the example authz request you should clearly state that the 'id'
parameter is use to carry the key identifier (just to improve
readability). Perhaps
change 'hotk' to 'hotk_id'.
- why do key identifiers, profile names etc need their own ABNF (end
of 3.1.1)?
- when computing the signature, don't you want to hash over the
entire request string so that you include the HTTP version? At least
in theory the semantics of the method is tied to the version...
- what does "put into the body of the HTTP request." mean? Are
you using any particular mime-type for instance?
- have you investigated the deployability of 3.2.2? I would expect that
using signatures (JWS) would be a lot easer to code for in practice. Its
a strange world.

        Cheers Leif