IETF Logo Mail Archive

[OAUTH-WG] Review of dynamic registration draft

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 20 November 2014 02:56 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1BA1A904B for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 18:56:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FdE8HzHCK4qY for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 18:56:57 -0800 (PST)
Received: from mail-pd0-x229.google.com (mail-pd0-x229.google.com [IPv6:2607:f8b0:400e:c02::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CD801A7017 for <oauth@ietf.org>; Wed, 19 Nov 2014 18:56:57 -0800 (PST)
Received: by mail-pd0-f169.google.com with SMTP id fp1so2114462pdb.14 for <oauth@ietf.org>; Wed, 19 Nov 2014 18:56:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:mime-version:subject :message-id:date:to; bh=b/UGkSpNKLwbH0aqjhEGi54Qgsgucc6lI3AN8DgymZk=; b=qQkCoXw5hSJI0tIGbKRziAsdaQh9P7RIn2fwSjlGdqp5n1bFSnxMwxuyRx/ggLLsYI BRuYw3rB+lcntNLmJWMsjDXL+5cSX3g5NbT6bKEroAUDYZSgbAN9dERhroIUVdEEbX+M tJXjX1IpHCN6W4rT2423Ea30IsGSFJh8OeAdemWwvd4ojXuuBesSFUVJPXMfuVuBw1aX A3wnPjHWYBafHm1cpblFXA2i3tv/JWqDp2JLo89EDHj0IcxFBI0guA/8STtzazkk7Gd5 ERAmtW2Oc9Qe8zLu8kt6wJmdrME7XM2K/RMj3Sh3FuHjvo04ly6sscfeb3sHd2KVFbeO dhDQ==
X-Received: by 10.68.135.163 with SMTP id pt3mr51492116pbb.106.1416452216687; Wed, 19 Nov 2014 18:56:56 -0800 (PST)
Received: from [10.152.255.146] (mobile-166-176-56-145.mycingular.net. [166.176.56.145]) by mx.google.com with ESMTPSA id l6sm535148pdr.39.2014.11.19.18.56.54 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Nov 2014 18:56:54 -0800 (PST)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Message-Id: <DAF10981-A944-46B5-ACA9-696152C11C9A@gmail.com>
Date: Wed, 19 Nov 2014 16:56:50 -1000
To: oauth <oauth@ietf.org>
X-Mailer: iPhone Mail (11D257)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/kvqWgLasf7F4rCbfDMAUpOUMUHY
Subject: [OAUTH-WG] Review of dynamic registration draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 02:56:59 -0000

Hi,

I reviewed draft-Ietf-oauth-dyn-reg-20 and have the following questions before we move this to IETF last call.

Sect 2, Has there been any consideration in the WG of using alternate auth methods from HTTPAuth like HOBA?  I realize this is referencing Oauth defined methods from the framework draft, but would like to know what was considered or not.  HOBA is heading to IETF last call soon.

Section 6:  why is there a choice on TLS?  I'd recommend you make it require 1.2 unless there is a really compelling argument to have that must as either 1.2 or 1.0

Sect 6 paragraph 5
Why are the security recommendations listed as 'could'?

Sect 6 paragraph 7
What makes it 'valid and trusted'?  The flow of this paragraph could be improved so the terms valid and trusted are connected to earlier statements to separate it better from the plain JSON objects.

Please add a section or interspersed statements on privacy considerations.  Include text on what may be of concern (names, contacts, etc.) and what can be done to protect the values (interspersed may be easier) or that they may be left out to remove concerns.


Thank you,
Kathleen

Sent from my iPhone

v2.23.0 | Report a Bug | By Email