Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discovery-06
Mike Jones <Michael.Jones@microsoft.com> Tue, 05 September 2017 23:11 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49D4A132E3A for <oauth@ietfa.amsl.com>; Tue, 5 Sep 2017 16:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.01
X-Spam-Level:
X-Spam-Status: No, score=-3.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMactQYl3Chf for <oauth@ietfa.amsl.com>; Tue, 5 Sep 2017 16:11:56 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0129.outbound.protection.outlook.com [104.47.40.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FD5A132199 for <oauth@ietf.org>; Tue, 5 Sep 2017 16:11:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=MLlA/ekDDKoEZn1hd43kwu0hdH8mFERvnFxZRkMLPHE=; b=hRKvY3Q+bsyzakEjWFNo/D4TmqLvRv9dQou2lO7e8Moxpil1qdHqgZH5PcF3TttItW7H4OEVmGUwThNTPNeFqWc5bVxHW6RPnieHH8KCPsJQbut2VFbQnnO+hJcAjSexwUvNqWmxoCGbGfQp3d1KvYC4rSv7ZO3k1KXODvUnQY4=
Received: from BN6PR21MB0500.namprd21.prod.outlook.com (10.172.112.10) by BN6PR21MB0499.namprd21.prod.outlook.com (10.172.112.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.35.0; Tue, 5 Sep 2017 23:11:54 +0000
Received: from BN6PR21MB0500.namprd21.prod.outlook.com ([10.172.112.10]) by BN6PR21MB0500.namprd21.prod.outlook.com ([10.172.112.10]) with mapi id 15.20.0035.002; Tue, 5 Sep 2017 23:11:54 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] AD Review: draft-ietf-oauth-discovery-06
Thread-Index: AQHTJQPOGSEV1sPnL0a/osPnuKlQ5aKm2zkw
Date: Tue, 05 Sep 2017 23:11:54 +0000
Message-ID: <BN6PR21MB0500E18894881EFD5AD4386FF5960@BN6PR21MB0500.namprd21.prod.outlook.com>
References: <CABcZeBP8G0L8+X0ddvEHng=R+eahG+KsKG9b2_BA7Si1Cd4MJQ@mail.gmail.com>
In-Reply-To: <CABcZeBP8G0L8+X0ddvEHng=R+eahG+KsKG9b2_BA7Si1Cd4MJQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-09-05T16:11:52.0851161-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:d::36]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR21MB0499; 6:+5uE7koHvzjUldXLlZP2x+3by6JSfr0281MzKAIn3AeIilZtV7xIMI8CYuaNd5NTn+MlAHrovoE42oQexl19JGF4P5j+vaWwtpln7EGFG64c9mjJXinO4aBSjjcVPeTCgC4MZkc9NtkiBFoaQtftxAqhRMrwsJjD5Y+FVNmsjJegVpItW+mdSKMR7RfXaESp2WrraDH4Dr1yJ7oJgepXbMPxWocDBnmofdB3whzTDvgEzCP31Is1kNFpNJ7V+la10SyeJY2mKXfrO4wN1DqFZvHZu478LYGDmMV3Dh9IuNm++lvcDBLFFc6zhGo+2YbitryMNjE/A+vOOy0g531gEg==; 5:6MOH2jLDQCKVmPvvI3/eRTtHZLEZBScXtmw9hYZb6jrYfAOzagxQZIZ1Te7Va2CAYNmCIdUbm0nuxxZsXxVlae1yyI82uS74eiaEPd6QItrtQPJ2jjBGBRd43B1/dDUhFZhvc/Tj2XY3Zmvwt2yoEg==; 24:CUCDN0rn+MLXYU8t3bUr7Znkjk0G1rko1jOxiXI2qlTnvI+zXUM5X9J85Ugw6YxnwF2ajOmhUu5cIT3VhTFESQu7gAvGlnIcao3LebaqW8E=; 7:Aw/AjGrjykDj8Y90vMm0NL9DgVPTigk6b8J3rTCfw5XUco1crIc9sWZUKmnT4hYT564gWtnE1zidCHW4bNAH23T5Roj5YbYvT7Q1QOr47GuVqZPomZzxHwCl9MUX82APVnyvcf/INCC00g96CNCS8iRwSRyGzhwRDrMycoh0HCrygVELv5Km4gDruZWqytF8b6ULgW6Obwqu6wVxjWxgOaqOZawmGbPtcHKMbAZiv+4=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 507099f1-83e1-4227-7f68-08d4f4b37fce
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(2017030254152)(300000503095)(300135400095)(48565401081)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN6PR21MB0499;
x-ms-traffictypediagnostic: BN6PR21MB0499:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-microsoft-antispam-prvs: <BN6PR21MB0499FC7BE3876A505A77B240F5960@BN6PR21MB0499.namprd21.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(6055026)(61426038)(61427038)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123560025)(20161123555025)(20161123562025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN6PR21MB0499; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN6PR21MB0499;
x-forefront-prvs: 0421BF7135
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(47760400005)(199003)(377454003)(189002)(86612001)(2906002)(3660700001)(478600001)(74316002)(6436002)(189998001)(86362001)(25786009)(3280700002)(2950100002)(7696004)(72206003)(9686003)(6306002)(6246003)(55016002)(8990500004)(5005710100001)(99286003)(97736004)(10290500003)(5660300001)(6116002)(102836003)(53936002)(10090500001)(2501003)(101416001)(230783001)(2900100001)(54356999)(68736007)(966005)(7736002)(76176999)(50986999)(305945005)(81156014)(77096006)(53546010)(229853002)(8936002)(6506006)(33656002)(14454004)(81166006)(105586002)(8676002)(106356001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR21MB0499; H:BN6PR21MB0500.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Sep 2017 23:11:54.5974 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR21MB0499
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hT9g1rgmxLDcVMfnOjwk0j8MAlc>
Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discovery-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Sep 2017 23:11:58 -0000
Thanks for your useful review, Eric. Proposed resolutions to all comments are inline prefixed by "Mike>". From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Eric Rescorla Sent: Sunday, September 3, 2017 3:26 PM To: oauth@ietf.org Subject: [OAUTH-WG] AD Review: draft-ietf-oauth-discovery-06 Hi folks, Note: the original of this review is on Phabricator at: https://mozphab-ietf.devsvcdev.mozaws.net/D7 If you want to see comments in context, you can go there. Also, you can create an account and respond inline if you like. If you elect to, let me know if you run into problems. -Ekr I have marked a number of places where it seems like you either need defaults or need to indicate what the semantics are if missing This metadata can either be communicated in a self-asserted fashion or as a set of signed metadata values represented as claims in a JSON I assume "self-asserted" in this case means "asserted by the server origin via HTTPS" Mike> Thanks - I will use this language. Line 222 authentication methods. Servers SHOULD support "RS256". The value "none" MUST NOT be used. What's the default if omitted? Mike> I will add "If omitted, these authentication methods cannot be used." Line 235 represented as a JSON array of BCP47 [RFC5646] language tag values. What's the default if omitted? Mike> There is no default. I will add "If omitted, the set of supported languages and scripts is unspecified." Line 267 "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters]. What's the default if omitted? Mike> I will add client_secret_basic as the default - just like it already was for token_endpoint_auth_methods_supported. Line 275 "client_secret_jwt" authentication methods. The value "none" MUST NOT be used. What's the default if omitted? Mike> I will add "If omitted, these authentication methods cannot be used." Line 288 Access Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) What's the default if omitted? Mike> There is no obvious default. Therefore, I will add "If omitted, the set of supported authentication methods MUST be determined by other means." Line 296 "client_secret_jwt" authentication methods. The value "none" MUST NOT be used. What's the default if omitted? Mike> I will add "If omitted, these authentication methods cannot be used." Line 304 challenge method values are those registered in the IANA "PKCE Code Challenge Methods" registry [IANA.OAuth.Parameters]. What's the default if omitted? Mike> I will add "If omitted, the authorization server does not support PKCE." Line 343 MUST be registered in the IANA "Well-Known URIs" registry [IANA.well-known]. IMPORTANT: Shouldn't this be required to be HTTPS Mike> I will add "This path MUST use the "https" scheme." Line 500 client MUST perform a TLS/SSL server certificate check, per RFC 6125 [RFC6125]. Implementation security considerations can be found in Recommendations for Secure Use of TLS and DTLS [BCP195]. Hmm.... I'm unsure about whether this should be a citation to 2818. Is the general feeling that 6125 superceded 2818? Mike> OAuth 2.0 [RFC 6749] also requires an RFC 6125 certificate validation, so this is in line with other uses of the OAuth protocol family. Line 564 The following registration procedure is used for the registry established by this specification. This section seems like it needs RFC2119 language Mike> This registry language closely follows that in OAuth 2.0 [RFC 6749] and subsequent OAuth specifications. I'd rather keep them parallel unless something isn't clear. Line 568 Values are registered on a Specification Required [RFC5226] basis after a two-week review period on the mailto:oauth-ext-review@ietf.org mailing list, on the advice of one or more Designated Experts. What happens if you don't do anything within two weeks. As it says later in this section "Registration requests that are undetermined for a period longer than 21 days can be brought to the IESG's attention (using the iesg@ietf.org mailing list) for resolution." Line 756 o Change Controller: IESG o Specification Document(s): Section 2 of [[ this specification ]] Extra whitespace. Are you talking about there being two spaces between the bullet character "o" and the items such as "Change Controller: IESG"? That's what <list style='symbols'> does. Or are you wanting more whitespace somewhere? Please give more context because I'm not looking at this on Phabricator. (I created an account "mbj" but it wanted me to install a second factor phone app, which seemed like a bit much...) Thanks, -- Mike
- [OAUTH-WG] AD Review: draft-ietf-oauth-discovery-… Eric Rescorla
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discov… Mike Jones
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discov… Mike Jones
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discov… Mike Jones
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-discov… Eric Rescorla