Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-introspection-09: (with COMMENT)
Justin Richer <jricher@MIT.EDU> Tue, 23 June 2015 00:52 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD6F61B3132; Mon, 22 Jun 2015 17:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZtaOFtORaUF; Mon, 22 Jun 2015 17:52:31 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id DE4071B313C; Mon, 22 Jun 2015 17:52:30 -0700 (PDT)
X-AuditID: 12074422-f79d26d0000026d6-d0-5588adce106f
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 7F.1C.09942.ECDA8855; Mon, 22 Jun 2015 20:52:30 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t5N0qSnC016589; Mon, 22 Jun 2015 20:52:29 -0400
Received: from macbook-pro.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t5N0pFIG003545 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 22 Jun 2015 20:52:27 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_7BF79A10-DBF3-41DB-ABA5-CC353331B850"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Justin Richer <jricher@MIT.EDU>
In-Reply-To: <D6D59461-4D80-4B23-8FDB-95C1F86FDDAC@mit.edu>
Date: Mon, 22 Jun 2015 20:52:18 -0400
Message-Id: <075DE2D1-2484-4EFA-BDE0-9F531B9A961E@mit.edu>
References: <20150610002416.13636.71337.idtracker@ietfa.amsl.com> <D6D59461-4D80-4B23-8FDB-95C1F86FDDAC@mit.edu>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrKKsWRmVeSWpSXmKPExsUixCmqrHtubUeowf17vBbzO0+zW5zddJvd YsXycosXi3cyW8z4M5HZ4vbclWwWJ9++YnNg91iy5CeTx6ydT1gCmKK4bFJSczLLUov07RK4 Mq5d/MxccDmt4kJ7J1sD49PwLkZODgkBE4m/Pc0sELaYxIV769m6GLk4hAQWM0ksuPaKCcLZ yChxcfNuJpAqIYHHTBK722K6GDk4mAUSJJ488AQJ8wroSTx6+pgdxBYWyJD48OQVWDmbgKrE /JW3mEDKOQWsJfY1gpWzAIU37F3NCDKeWeAXo8STIzvZIeZYSdza/JMFYlWBxMslx8HmiAgo STxv3soCMkdCQFbi61a5CYwCsxCOmIXkCBCbWUBbYtnC18wQtqbE/u7lLJjiGhKd3yayLmBk W8Uom5JbpZubmJlTnJqsW5ycmJeXWqRrqpebWaKXmlK6iREUG+wuSjsYfx5UOsQowMGoxMNb MLkjVIg1say4MvcQoyQHk5Io76o1QCG+pPyUyozE4oz4otKc1OJDjBIczEoivFPnAOV4UxIr q1KL8mFS0hwsSuK8m37whQgJpCeWpGanphakFsFkZTg4lCR4r4AMFSxKTU+tSMvMKUFIM3Fw ggznARrusBZkeHFBYm5xZjpE/hSjopQ473qQZgGQREZpHlwvLHW9YhQHekWYVxukigeY9uC6 XwENZgIa/CW3DWRwSSJCSqqBseDH5YPR0Xu2qy9W6P3kKb/l9NMWkQX8JteEZl10vfPX/Hej gdxVSaPd0YHqM/Wf/1n5UDVq0/sQS1/e0m9H1FJDOJY5Znc4qdR8/zVn7qKqw5F+V562Z2j4 bJm+Lsb8EVfpYVeXHyqBdnPmtZ/fqim+7mfBDcngn/X8J52W5i4/8rqrnG+prhJLcUaioRZz UXEiAJ4xcOw4AwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/lfqBKrSyIauvDTLDalqJKCL0ORQ>
Cc: draft-ietf-oauth-introspection@ietf.org, draft-ietf-oauth-introspection.ad@ietf.org, oauth-chairs@ietf.org, draft-ietf-oauth-introspection.shepherd@ietf.org, The IESG <iesg@ietf.org>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-introspection-09: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 00:52:40 -0000
Ben, I’ve uploaded a new draft that should address your comments below: Draft: https://tools.ietf.org/html/draft-ietf-oauth-introspection-10 <https://tools.ietf.org/html/draft-ietf-oauth-introspection-10> Diff: https://tools.ietf.org/rfcdiff?url2=draft-ietf-oauth-introspection-10.txt <https://tools.ietf.org/rfcdiff?url2=draft-ietf-oauth-introspection-10.txt> Please let me know if you have any further questions, — Justin > On Jun 11, 2015, at 6:25 PM, Justin Richer <jricher@MIT.EDU> wrote: > > Ben, thanks for your review. Comments inline. > >> On Jun 9, 2015, at 5:24 PM, Ben Campbell <ben@nostrum.com> wrote: >> >> Ben Campbell has entered the following ballot position for >> draft-ietf-oauth-introspection-09: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I concur with Alissa's discuss. >> >> Additional comments: >> >> -- There is no reference to RFC 2119, but there seems to be lots of >> capitalized 2119 keywords. If those are intended to have the 2119 >> meaning, please add the usual reference. (I assume that these are >> intended as 2119 keywords for the remainder of the review.) >> > > This seems to be a bug in the xml2rfc template, I’ll fix that. > >> -- 2.1, first paragraph: >> >> If the server MAY support GET, how does a client know to use it? Would >> you expect them to try and fail? > > Was brought on by Barry Lieba, my suggested fix is to say server MUST support POST, and remain silent on other verbs. Will that suffice? > >> >> -- 3 >> >> Is there a reason not to use a more standard IANA procedure? (I.e. let >> people request registrations to IANA, and have them forward the requests >> to the DE?) >> >> --3.1, under "Name" >> >> The MUST seems unnecessary, as that's the whole point of a registry. > > I pulled the IANA language from other specs, I’ll defer the proper wording and structure of this to other experts. > >> >> -- 4: >> The security considerations have a lot of restated 2119 keywords. If you >> want to reinforce those here, it would be better to do so with >> descriptive language, rather than having multiple occurrences of the same >> normative language. Redundant normative language is error prone, >> especially for future updates. > > Noted. We’re not trying to re-state normative requirements in multiple locations, so I’ll carefully read through this again to make sure we’re saying something new where we add another 2119 statement. > >> >> -- 4, bullet list: >> >> >> It seems odd to have 2119 keywords in a "For instance" section. > > This was at the request of WG members and I’m open to wording it better. People wanted the protected resources to be able to count on count on the AS doing at least some reasonable checks on the token’s state. We can't prescribe exact AS behavior because the nature of tokens is going to vary so wildly (some expire, some don’t). What we want to do is provide a set of common checks that servers need to do in the right circumstances, depending on the nature of their tokens. > >> >> --4, 6th paragraph from end >> >> The reference to [TLS.BCP] should probably be normative. > > It’s a best current practice on deployment practice of a supporting protocol, I think informative is the right level here but I’ll defer to other expertise if there’s a better form. > >> >> -- 4, last two paragraphs: >> >> "An authorization server offering token introspection MUST be able to >> understand the token values being presented to it during this call." and >> "the authorization server MUST be able to decrypt and validate the token >> in order to access this information." >> >> These seem more like statements of fact than normative language. > > This is a fair characterization of this section, we can change those to “needs to” or lowercase “must”. > > — Justin > > >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Ben Campbell's No Objection on draft-i… Ben Campbell
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Justin Richer
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Justin Richer