Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 15 April 2013 21:14 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27B0E21F9184 for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 14:14:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.601
X-Spam-Level:
X-Spam-Status: No, score=-101.601 tagged_above=-999 required=5 tests=[AWL=0.398, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D2k60LsHOtAw for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 14:14:06 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id BA34721F9380 for <oauth@ietf.org>; Mon, 15 Apr 2013 14:13:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 930A4BE63; Mon, 15 Apr 2013 22:13:35 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pl93e4CB0tF0; Mon, 15 Apr 2013 22:13:34 +0100 (IST)
Received: from [10.87.48.4] (unknown [86.46.29.146]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id D9121BE61; Mon, 15 Apr 2013 22:13:33 +0100 (IST)
Message-ID: <516C6D7D.4050805@cs.tcd.ie>
Date: Mon, 15 Apr 2013 22:13:33 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: Torsten Lodderstedt <torsten@lodderstedt.net>
References: <51644F9A.9040402@cs.tcd.ie> <516C5E8F.1020807@lodderstedt.net>
In-Reply-To: <516C5E8F.1020807@lodderstedt.net>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 21:14:08 -0000
Hi Torsten, That's great thanks. We're still after a mail from Marius ack'ing no IPR. Be nice to get that. I'll ask for IETF LC in a day or so in case the WG have anything to say, but a couple of follow-ups below that you can take as LC comments from me. On 04/15/2013 09:09 PM, Torsten Lodderstedt wrote: > Hi Stephen, > > I just posted a new revision of the draft > (http://tools.ietf.org/html/draft-ietf-oauth-revocation-07). I tried to > address all the issues you raised (see below). > > Am 09.04.2013 19:27, schrieb Stephen Farrell: >> Hi, >> >> I've done my AD review of this draft. I have two quick questions >> I'd like to get answered before I start IETF LC. Depending on the >> answers maybe we should re-spin or just fire ahead, let's see... >> >> (1) 2.1: "upon the return of the request" isn't right is it? I >> think you mean the response at least. > > adjusted wording to "upon receipt of an HTTP 200 response from the server" >> And what about HTTP error >> handling? What if I get a 503 error? Is the client supposed >> to re-send ever? Don't you need to say? > > Added: > If the server responds with HTTP status code 503, the client must assume > the token still exists and may retry after a reasonable delay. The > server may include a "Retry-After" header in the response to indicate > how long the service is expected to be unavailable to the requesting > client. I think it'd be worth looking at other HTTP consuming specs and maybe asking some folks about that. I suspect you might need to say 5xx rather than just 503 and "reasonable" is gonna set off transport area alarms bells probably. > >> >> (2) 2.2: what's in the response body with a 200 response? If it >> doesn't matter please say so. > > Added: > The content of the response body does not matter as all information is > conveyed in the response code. >> >> I see from the write-up one author hasn't confirmed there are >> no IPR issues. I've sent a Marius a mail so hopefully we >> can sort that as we go. >> >> I also have the following nits that can be fixed (if need >> be) whenever the draft is next changed: >> >> - intro: "app" isn't really a great term to use, can you replace >> with something from 6479. > > Assuming you meant 6749 I changed it to "application" >> >> - section 2: the "MAY include a query component" is sort of >> dangling there, maybe it'd be better moved elsewhere? > > As Justin pointed out, the place is ok. I tried to improve wording a bit. > > "The client requests the revocation of a particular token by making an > HTTP POST request to the token revocation endpoint URL. This URL MAY > include a query component." >> >> - section 2: "MUST be obtained from a trustworthy source." might >> generate comment from IESG members who don't like using 2119 >> terms in ways that don't affect interoperability. (I'm fine with >> it fwiw, and have nearly cured 'em of that craze;-) Consider >> s/MUST/need to/ here. > done >> >> - 2.1: ought there be a registry for token_type_hint values? It >> looks like maybe there ought be. > > Added registry in Section 5.1.2 I'd encourage WG participants to check that and see what they think. We can fix it (if needed) after IETF LC. Cheers, S. >> >> - 2.1: "A client compliant with [RFC6749] must be prepared" was >> that meant to be a 2119 MUST? > yep, changed it. >> >> - section 6: maybe s/shall/need to/ in the last para > done > > regards, > Torsten. >> >> Cheers, >> S. >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] AD review of draft-ietf-oauth-revocati… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Stephen Farrell