Re: [OAUTH-WG] Alexey Melnikov's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Wed, 24 May 2017 16:17 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95BF312EB4B for <oauth@ietfa.amsl.com>; Wed, 24 May 2017 09:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nk2q0HAitew9 for <oauth@ietfa.amsl.com>; Wed, 24 May 2017 09:17:51 -0700 (PDT)
Received: from mail-pg0-x235.google.com (mail-pg0-x235.google.com [IPv6:2607:f8b0:400e:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A619A12EB44 for <oauth@ietf.org>; Wed, 24 May 2017 09:17:51 -0700 (PDT)
Received: by mail-pg0-x235.google.com with SMTP id x64so67976286pgd.3 for <oauth@ietf.org>; Wed, 24 May 2017 09:17:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=unCH9I4hEkpPnL3vbdd10FYS4ksJ/AfDRnPESu7Oel8=; b=hZRAMpTF8iewGghyva5G+ndTVy1NsVPYd5IkYPWAbZlHPYtV78b+6dJC/R8P4VRofl u1NPc106hkg5stKMHzLPbRSHdPFmAFrsUJremmZ3f2mPbwrDwPcRxw3Y2AtvlJtcW8gD pi0jpKHAVztOHthBa6dkRaM5W9qD3cGHIpKbo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=unCH9I4hEkpPnL3vbdd10FYS4ksJ/AfDRnPESu7Oel8=; b=OZ6rgJ+pbCb9nYbzmohCJywv0P3BAbRYMD3f1jgseY7VzSN9urrLv3vgh1QHQEaE7W bU+gn6wA2cB7WBViSrsl3w05B98gtjH6YakzWLJUqy5oBpDtkod60fG/BaKfznjv3ft0 mL39GP2x9VTMHreibjXQGo57ujlMYTKYoBAoh6H9R+zM6ka54om911r9NGUlTG8ez6XT jMbchoYmKDk285SprrWtsMoI3XU/J4V6biWW/BLPqyD0+AUVTlBcPtawQ6blsIhFjC5e 3qOrUWNJc7myHPYPEMa8AIAMZk3liAr6fMGnjQeKI4I0upCHINaFgKVAsafOoQSFANzX 4EUw==
X-Gm-Message-State: AODbwcBTA4cfI2/cs1TPOgMQdcVflODhAS6RsVtZlPe8LSm0BCGiLCt8 xT7ZKkVsoef3V6pihxY61y9ro2aQwi8E
X-Received: by 10.98.30.129 with SMTP id e123mr39901165pfe.240.1495642671161; Wed, 24 May 2017 09:17:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.154.205 with HTTP; Wed, 24 May 2017 09:17:20 -0700 (PDT)
In-Reply-To: <149563962282.28554.14590140614058686244.idtracker@ietfa.amsl.com>
References: <149563962282.28554.14590140614058686244.idtracker@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 24 May 2017 10:17:20 -0600
Message-ID: <CA+k3eCTOQx6Tnnk2n41GUROsD-LaOz2WwP+i=tqZGbBvR1twvQ@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-native-apps@ietf.org, oauth-chairs@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c03aa6620410a05504772fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hqIeUxs3Zkz8PPVAQefqH7bzNms>
Subject: Re: [OAUTH-WG] Alexey Melnikov's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 16:17:54 -0000

As far as I can tell, 'NOT RECOMMENDED' is fine per RFC 2119.


from https://www.ietf.org/rfc/rfc2119.txt

4. SHOULD NOT   This phrase, *or the phrase "NOT RECOMMENDED"* mean that
   there may exist valid reasons in particular circumstances when the
   particular behavior is acceptable or even useful, but the full
   implications should be understood and the case carefully weighed
   before implementing any behavior described with this label.

And also this errata notes that NOT RECOMMENDED should be in the first
part of the abstract
https://www.rfc-editor.org/errata_search.php?rfc=2119&eid=499


On Wed, May 24, 2017 at 9:27 AM, Alexey Melnikov <aamelnikov@fastmail.fm>
wrote:

> Alexey Melnikov has entered the following ballot position for
> draft-ietf-oauth-native-apps-11: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> A couple of nits:
>
> 8.2.  OAuth Implicit Grant Authorization Flow
>
>    The OAuth 2.0 implicit grant authorization flow as defined in
>    Section 4.2 of OAuth 2.0 [RFC6749] generally works with the practice
>    of performing the authorization request in the browser, and
> receiving
>    the authorization response via URI-based inter-app communication.
>    However, as the Implicit Flow cannot be protected by PKCE (which is
> a
>    required in Section 8.1), the use of the Implicit Flow with native
>    apps is NOT RECOMMENDED.
>
> NOT RECOMMENDED is not actually a construct allowed by RFC 2119, I think
> you should reword it using "SHOULD NOT".
>
> It would be good to add RFC reference for HTTPS URIs.
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>