Re: [OAUTH-WG] [OPS-DIR] Opsdir telechat review of draft-ietf-oauth-native-apps-10

William Denniss <wdenniss@google.com> Mon, 22 May 2017 19:09 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 749E0128B91 for <oauth@ietfa.amsl.com>; Mon, 22 May 2017 12:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKHbbn07txMh for <oauth@ietfa.amsl.com>; Mon, 22 May 2017 12:08:58 -0700 (PDT)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EECA2128616 for <oauth@ietf.org>; Mon, 22 May 2017 12:08:57 -0700 (PDT)
Received: by mail-io0-x22a.google.com with SMTP id f102so87068704ioi.2 for <oauth@ietf.org>; Mon, 22 May 2017 12:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qxMxstGIbPVZ8QVipkgAGfsdWIIQHnlpSxYnHq/FX9A=; b=jNTFoWUaszqYLLQvtpFwvnJaHfLnK4kIPDjt+fOU/cU+guO3jj656RhIoZZUTULW9o DK51h0x4pP9zfLHVSpA+pxH3HPyKBt5XiWdqm+Qxo9ySa/Vo8bX1hP3Qd7Sw4mItgOaV uyupFlGemKMsqnKUVebp5IyyYol279ZT2a1SXnQAjxng9KPgoj9pgu4+91Rw5bj/Vjdz 4VaDrIQNNTyHkXai6d87gOcbQNffCUu1fhavazMq0z2PhZ5P8qlDJ7fJQhGQExceStca rxsfJQxLfkaxTiBJWCCK4ESW5Cu2tjN3vp+bAPmcFxpbAZHzcajgd97FXYT5rnSnpWGt ZNLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qxMxstGIbPVZ8QVipkgAGfsdWIIQHnlpSxYnHq/FX9A=; b=BAJK2nsF+p/SlKw0IMvSLczMUTcu2Jw/0SK06shPKAlZZ3V2/QvVHk82tLeEk5HPQ1 jzNjg9cL0YuR91905/Eq7+5mvRuLUT0fQSRoaxAnIWIW1ccOy4xR7B7VZ3IzBRjX6A1V 8BpW+Axw4o4KJxZIsNiEJ137WNrBeqUVHRu5ZtTEwlT3qmyXEGdeAU4khDHJA+aQHa1D yaAQ4Aln4d9DSTCkGA8h2CPpIHvVV9NuoxxnCSXmFyz3NN8XEl0M3/IPxLFJVf4l/KYg 55p5i/s/kZfFJhUYRB7TZWu0oHEFBgbzuQcX0Vcpg5aBRKWfBfc/et5Vp6FJD5p8mo0B tQDQ==
X-Gm-Message-State: AODbwcBv+3Tjd1gL16DsNnOw2bBSQDz8hhkR9qgLa1ngRKxXUTZ4T7En GDFxuO3G6dnSGsAax4EUU3aZoliHIoKa2lk=
X-Received: by 10.107.6.27 with SMTP id 27mr23657527iog.53.1495480137083; Mon, 22 May 2017 12:08:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.35.37 with HTTP; Mon, 22 May 2017 12:08:36 -0700 (PDT)
In-Reply-To: <E6BC9BBCBCACC246846FC685F9FF41EA2AE094F0@DGGEMM506-MBX.china.huawei.com>
References: <E6BC9BBCBCACC246846FC685F9FF41EA2AE094F0@DGGEMM506-MBX.china.huawei.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 22 May 2017 12:08:36 -0700
Message-ID: <CAAP42hBSj3_B48SN3VmQR2Z8qa2Nzpo7wL8FPr18TvmmeLWoyw@mail.gmail.com>
To: wangzitao <wangzitao@huawei.com>
Cc: "ops-dir@ietf.org" <ops-dir@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "draft-ietf-oauth-native-apps.all@ietf.org" <draft-ietf-oauth-native-apps.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="001a113ee7d25754640550219a2a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oNpcnvTsoY-lexQkUKxJ-713Cd0>
Subject: Re: [OAUTH-WG] [OPS-DIR] Opsdir telechat review of draft-ietf-oauth-native-apps-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 19:09:01 -0000

Thanks for your review Zitao!

Version 12 addresses your comments. Detailed responses below:

On Sun, May 21, 2017 at 8:05 PM, wangzitao <wangzitao@huawei.com>; wrote:

> Reviewer: Zitao Wang (Michael)
>
> Review result: Has Nits
>
>
>
> I have reviewed this document as part of the Operational
> directorate’s ongoing effort to review all IETF documents being processed
> by the IESG.  These comments were written with the intent of improving the
> operational aspects of the IETF drafts. Comments that are not addressed in
> last call may be included in AD reviews during the IESG review.  Document
> editors and WG chairs should treat these comments just like any other last
> call comments.
>
>
>
> Document reviewed:  draft-ietf-oauth-native-apps-10
>
>
>
> Summary:
>
>
>
> OAuth 2.0 authorization requests from native apps should only be made
>
> through external user-agents, primarily the user’s browser. This
>
> specification details the security and usability reasons why this is
>
> the case, and how native apps and authorization servers can implement
>
> this best practice.
>
>
>
> I think the document is written very clear, except some small nits:
>
> Page 3:     The last sentence of introduction-- “This practice is also
> known as the AppAuth pattern”.
>
> I suggest adding a reference to explain the AppAuth pattern.
>
>
Done


> Page 3:     Terminology -- "OAuth".
>
> I suggest modifying to: "OAuth"   The Web Authorization (OAuth) protocol.
> In this document, OAuth refers to OAuth 2.0 [RFC6749].
>
I went with:
"In this document, OAuth refers to the OAuth 2.0 Authorization Framework
[RFC6749]."

The phrase "Web Authorization (OAuth) protocol" only seems to appear in our
WG Charter, and not general usage
<https://www.google.com/search?q=web+authorization+protocol>;.


> Page 4:     Terminology -- "web-view"  A web browser UI component.
>
> Does it mean "User Information"?  Suggest expanding this abbreviation.
>
>
Done.


> Page 5:     Figure 1.   Does the browser and authorization endpoint are
> some kinds of "external user-agent"? Suggest describing it more clearly.
>

Now states:
"illustrates the interaction of the native app with a browser
        external user-agent to authorize the user. "

Page   9:   PKCE [RFC7636] details how this limitation can be used to
> execute a code interception attack (see Figure 1).
>
> Does the Figure 1 means “Figure 1 of RFC7636”?
>

Good catch. I delete the figure reference, since the entire spec talks
about this attack, which is likely sufficient.


>
> Page10:     However, as the Implicit Flow cannot be protected by PKCE
>
> Seems here, the reference be omitted.
>

Added.


> A run of idnits revealed no errors, flaws. There were 1 warning and 1 comments though
>
>
>
>   == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
>
>      document.
>
>
>
>
I ran it myself with verbose output, and got:

tmp/draft-ietf-oauth-native-apps__1_.txt(435): Found possible FQDN
'com.example.app' in position 5; this doesn't match RFC 2606's
suggested ".example" or ".example.(com|org|net)".


We are actually using a RFC2606 domain name here, but in reverse domain
name notation which is causing this warning.

No changes required.


>   Miscellaneous warnings:
>
>   ----------------------------------------------------------------------------
>
>
>
>   -- The document date (April 26, 2017) is 14 days in the past.  Is this
>
>      intentional?
>
>
>
>
>
>   Checking references for intended status: Best Current Practice
>
>   ----------------------------------------------------------------------------
>
>
>
>      (See RFCs 3967 and 4897 for information about using normative references
>
>      to lower-maturity documents in RFCs)
>
>
>
>      No issues found here.
>
>
>
>      Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).
>
>
>
>
>
> _______________________________________________
>
> OPS-DIR mailing list
>
> OPS-DIR@ietf.org
>
> https://www.ietf.org/mailman/listinfo/ops-dir
>
>
>