Re: [OAUTH-WG] Opsdir last call review of draft-ietf-oauth-device-flow-10
William Denniss <wdenniss@google.com> Thu, 02 August 2018 21:42 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4529E130E5A for <oauth@ietfa.amsl.com>; Thu, 2 Aug 2018 14:42:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NahBHfADiWpo for <oauth@ietfa.amsl.com>; Thu, 2 Aug 2018 14:42:18 -0700 (PDT)
Received: from mail-vk0-x242.google.com (mail-vk0-x242.google.com [IPv6:2607:f8b0:400c:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AFA5130E9C for <oauth@ietf.org>; Thu, 2 Aug 2018 14:42:18 -0700 (PDT)
Received: by mail-vk0-x242.google.com with SMTP id k82-v6so1785628vkd.5 for <oauth@ietf.org>; Thu, 02 Aug 2018 14:42:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=noS2GujwkEfaOVEXl23LFqwm6cfwKOWNcVAxiUG4j2k=; b=darSu17jT5V2R5tmoYnAt6vSf545eGx88qykPlKKoFCTFDfu+7tfnICQaXfY+CXiYP BRb+d7qVO2o8g/a5YVLyghq7Yu0KD2fhX3jL0XlU+1JkAIR10oShSpLvzBn70G0j0MDc 5acSKpKLGDAf+j1Nd6+xSqOgFpTMHXpRWVI1wUyopU3daJ2PidRKdTg9dMUYvCK3Y56i x+tqV1O0Jq/UmbcGQkS+B2PdWn7hxm5SnRFApHk3EvrNXI6x+u0AUTjQO5HzaJn/+svV C9GHuEcHPuYYLXaTKgGdeUqZLvwcOAKAFbxeyiPzTWbCOG1/0yE+VmQxRf8BrZMTXWEV FCBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=noS2GujwkEfaOVEXl23LFqwm6cfwKOWNcVAxiUG4j2k=; b=blQkhY1S3TNNewhq990sc6nwWhFatE/a7+VG0UbcGYnkoeJvGsgMOp4mGAf1eRB6n8 /yg6Q+B3oQaZuHCODYmjBPXdDO9lxoImHj/X0DH46i1u/wC9l+FvobSIEHpyBuu9O1xk pyNcCJ8xuX/21sbaqwy4ZjAvgl4ZSJL1j6iAWBAYQBd25tzbT0jId3MOArKG88S+R0d0 NFDGvs/zORkI1HgtxnkkZ3vNIz0BpZ5fqCgojD3W07GuVrAByqs5ejyypHIiNTw3dilb A2Jr4OWajrnkilG5OdOX8+8kaengb33K7OY0vB2U/5UqlnvxQioatkZXKjDpjY9RyjDh RrTA==
X-Gm-Message-State: AOUpUlEic/fs8uGjKi/zxhvF5AAe/RVcR9CmLl8qO5iH/F96jb5KZ4/4 GNMmk8NiyFDl9uumeg/fvSyhttjyPJ7UVUpQIxn1Ew==
X-Google-Smtp-Source: AAOMgpcLb5KLvNx2FaSwpqsBUerEb+GgPowhPsDyCleVzFxbrE+TTbfWo49JJTr1HXljzAVSV7Vx0JoMax8xSkcQtIE=
X-Received: by 2002:a1f:7c1:: with SMTP id 184-v6mr809177vkh.60.1533246137011; Thu, 02 Aug 2018 14:42:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:185a:0:0:0:0:0 with HTTP; Thu, 2 Aug 2018 14:41:56 -0700 (PDT)
In-Reply-To: <152880273680.9205.1844934984494262436@ietfa.amsl.com>
References: <152880273680.9205.1844934984494262436@ietfa.amsl.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 02 Aug 2018 14:41:56 -0700
Message-ID: <CAAP42hC4GL2OGoMXSPPo4_4-VZbqfECgH6N+Rb=0mrfrrZ+A7A@mail.gmail.com>
To: Qin Wu <bill.wu@huawei.com>
Cc: ops-dir@ietf.org, draft-ietf-oauth-device-flow.all@ietf.org, ietf@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005a0ccf05727aafd3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/k4hkVuz4E7evxyI7RvrvcOYV5us>
Subject: Re: [OAUTH-WG] Opsdir last call review of draft-ietf-oauth-device-flow-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2018 21:42:30 -0000
Qin, Thank you for your valuable feedback. Version 12 incorporates some of your feedback. Replies inline: On Tue, Jun 12, 2018 at 4:25 AM, Qin Wu <bill.wu@huawei.com> wrote: > Reviewer: Qin Wu > Review result: Ready > > I have reviewed this document as part of the Operational directorate¡¯s > ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written with the intent of improving the operational aspects > of > the IETF drafts. Comments that are not addressed in last call may be > included > in AD reviews during the IESG review. Document editors and WG chairs > should > treat these comments just like any other last call comments. Document > reviewed: > draft-ietf-oauth-device-flow > > Summary: > This document defines device flow among browserless and input constrained > devices, end user at browser and authorization server. This device flow > allows > OAuth clients to request user authorization from devices that have an > Internet > connection, but don't have an easy input method. This document is well > written, > especially security consideration section. I think it is ready for > publication. > > Major issue: None > Minor issue: Editorial > Section 3.3.1 > The short name for NFV needs to be expanded, maybe add reference. > QR code also needs to be expanded. > NFC and QR were expanded. > Section 3.5: > Who is token endpoint, how token endpoint is related to authorization > server? > Would it be great to add some clarification text about this. This separation is covered in OAuth. I added a some more references to OAuth 2 in Section 3.1 of version 12. Could do the same in section 3.5. > Section 4: Would it be great to clarify the relationship between > device_authorization_endpoint > defined in this document and authorization_endpoint defined in > draft-ietf-oauth-discovery-10 and explain why authorization_endpoint is not > sufficient,e.g., draft-ietf-oauth-discovery-10 has already defined > authorization server metadata value authorization_endpoint, however ¡¡ > > Some text to clarify the distinction between these two endpoints was added to Section 3.1 Best, William