IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-urn-sub-ns-02

Brian Campbell <bcampbell@pingidentity.com> Wed, 20 June 2012 18:13 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFF5F21F876D for <oauth@ietfa.amsl.com>; Wed, 20 Jun 2012 11:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.577
X-Spam-Level:
X-Spam-Status: No, score=-5.577 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96d2TvmGL6T9 for <oauth@ietfa.amsl.com>; Wed, 20 Jun 2012 11:13:35 -0700 (PDT)
Received: from na3sys009aog121.obsmtp.com (na3sys009aog121.obsmtp.com [74.125.149.145]) by ietfa.amsl.com (Postfix) with ESMTP id 3108C21F8766 for <oauth@ietf.org>; Wed, 20 Jun 2012 11:13:34 -0700 (PDT)
Received: from mail-qa0-f52.google.com ([209.85.216.52]) (using TLSv1) by na3sys009aob121.postini.com ([74.125.148.12]) with SMTP ID DSNKT+ISzT2vsVyudcdHruZfuJtyrJi7PLD/@postini.com; Wed, 20 Jun 2012 11:13:35 PDT
Received: by qabj34 with SMTP id j34so731676qab.4 for <oauth@ietf.org>; Wed, 20 Jun 2012 11:13:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=LzkK1uZ2fbeqziUsbTi4sciFja1ReDuQVe5IzIWQtro=; b=jC5bVcx/4/HE8fuO43dGMPx5NfqtSOoF1pPr4tY7RrRech+/+ZAAEZHc8rfMsQhh3K 0FUGLWuxIU2eXJEvTmN+SCh0Py+IH/NiBonh0p1k5k+m4BmSUWPy0orFEYX/YPDoH0WH 7JRwR8D8Jgsl4FlQxa0qFRjkIzeOzr+/vU5Dn1ftOMdOjhL/EaieSWQRmw9LvLWqIxgs iLYSNgOwDtg6klDyD917n9kaT9sWcmHqnh/aUyQ7ZeLVsXvYTXnKEdj5TKwZFwE2FMBc Gv/fJZh5sdWU+ShrZWCgFocU23vTV8+usm2elZFv4zinFC90U0VoHtJPJWMhGibiw+4I Ed1A==
Received: by 10.224.212.1 with SMTP id gq1mr42996188qab.54.1340216012988; Wed, 20 Jun 2012 11:13:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.87.142 with HTTP; Wed, 20 Jun 2012 11:13:02 -0700 (PDT)
In-Reply-To: <4FE1FD1E.1060601@cs.tcd.ie>
References: <4FE1C16D.6010602@cs.tcd.ie> <CA+k3eCS4iNpRfQ+by8L+petrT8jJVhjUeQTLxXcgZ+aHkKu4Cw@mail.gmail.com> <4FE1FD1E.1060601@cs.tcd.ie>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 20 Jun 2012 12:13:02 -0600
Message-ID: <CA+k3eCR2gh2=rkT4UiZQNswphg6+19Rn8uQxErpcJJKwsWjchg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkG1WdQXhqFO76tuaO4sxqcSCRw4LKBoy+6g4FdzTzavZyqD+o6GzFQwVdBQRVCFAnw/VGV
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-urn-sub-ns-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2012 18:13:37 -0000

Thanks Stephen,

I'll try and get all that done soon.

On Wed, Jun 20, 2012 at 10:41 AM, Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
>
> Hi Brian,
>
> That all looks fine.
>
> I'd say start from the expert review text from the oauth base
> IANA considerations if that's what you think the WG want. Posting
> that to the list for checking would seem worthwhile, its common
> to need a minor tweak or two.
>
> I'm ok with having or not having the reference to oauth
> base security considerations - whatever you prefer.
>
> I'll mark this as revised I-D needed.
>
> Soon's that's out I'll start IETF LC.
>
> Thanks,
> S.
>
>
> On 06/20/2012 05:26 PM, Brian Campbell wrote:
>> Thanks Stephen (also Peter) for the review and feedback. Responses are inline.
>>
>> On Wed, Jun 20, 2012 at 6:26 AM, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie> wrote:
>>>
>>> Hi,
>>>
>>> Many thanks for a nice short document!
>>
>> If only they could all be so short right? :)
>>
>>> I've a few questions though and suspect that a quick re-spin
>>> might be needed, but let's see what the wg think about 'em
>>> first.
>>>
>>> (1) Why Informational? Everything else at that level seems to
>>> be specified in a standards track or BCP level RFC, and IETF
>>> Consensus is required. [1] I think you have to do this as
>>> standards track. Did I miss something?
>>
>> I'm pretty sure that was just an oversight when using some boilerplate
>> xml to get the document started. I agree with you and Peter that
>> standards track makes more sense and I've updated my local copy of the
>> source to reflect that.
>>
>>>
>>> (2) Do you *really* want RFC or specification required for all
>>> registrations?  I don't care, but there is a trend away from
>>> that at the moment since its been found to discourage
>>> registrations in a lot of cases. Perhaps expert review would
>>> be ok?  No trying to push you one way or the other, I just
>>> wanted to check.
>>
>> Again I agree with you and Peter - lighter is preferred.  Though
>> Hannes wrote the original text for this so I'd ask that he please
>> speak up if there was some reason to require RFC here that we aren't
>> aware of.
>>
>> Can you help me with the proper text for this? Is it sufficient to
>> drop the "NOTE: in  order for a URN of this type to be assigned, the
>> item being registered MUST be documented in a RFC" text from the 1st
>> paragraph of §3 and change "New entries to the registry are
>> Specification Required" to "New entries to the registry require expert
>> review" in §5.1?
>>
>>
>>> (3) If answer to (2) is yes: Section 5.1 says "Specification
>>> Required" but section 3 said "RFC Required" and those differ.
>>> For example, an OASIS spec would not be ok if you say RFC
>>> required. I don't know if you care, but you need to be
>>> consistent. (Or else I've misread something;-)
>>
>> Having chaired an OASIS TC for 2 years I probably should care :)  See
>> the previous comment/question about relaxing this.  Expert review
>> seems good or maybe Specification Required but not RFC Required.
>> Regardless, your are right, it should at very least be consistent :)
>>
>>> (4) Isn't the template missing the reference to the RFC or
>>> other specification that defines the URN?
>>
>> I believe the "Description" portion of the template was intended to
>> capture that. Or that's how it's kinds been used by specs that use it
>> anyway. Should we add a "Specification document(s):" to the template?
>>
>>> (5) I don't get section 3, sorry;-) Can you give an example of
>>> a class:id pair that'd be registered?
>>
>> http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-12#section-6
>> and http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-00#section-6
>> are real examples that *hopefully* do the registration correctly.
>>
>> Do you think I should add an example registration directly to
>> draft-ietf-oauth-urn-sub-ns?
>>
>>> Asking IANA to generate
>>> the id part seems odd.
>>
>> Agreed. The "please assign" text should probably be removed. It's
>> really up to the defining spec to say what the class and id are/
>>
>>> nits:
>>>
>>> s3: s/generally referred/generally known/
>>
>> Will do.
>>
>>> s4: Might be worth pointing at the security considerations
>>> section of draft-ietf-oauth-v2? I'd say that text would be
>>> good to have read to know about the security considerations
>>> for the use of these URNs, before you go making one up.
>>
>> Is just referencing it sufficient?
>>
>>

v2.14.0 | Report a Bug | By Email