Re: [OAUTH-WG] [OPS-DIR] Opsdir telechat review of draft-ietf-oauth-native-apps-10
William Denniss <wdenniss@google.com> Mon, 22 May 2017 19:09 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 749E0128B91 for <oauth@ietfa.amsl.com>; Mon, 22 May 2017 12:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKHbbn07txMh for <oauth@ietfa.amsl.com>; Mon, 22 May 2017 12:08:58 -0700 (PDT)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EECA2128616 for <oauth@ietf.org>; Mon, 22 May 2017 12:08:57 -0700 (PDT)
Received: by mail-io0-x22a.google.com with SMTP id f102so87068704ioi.2 for <oauth@ietf.org>; Mon, 22 May 2017 12:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qxMxstGIbPVZ8QVipkgAGfsdWIIQHnlpSxYnHq/FX9A=; b=jNTFoWUaszqYLLQvtpFwvnJaHfLnK4kIPDjt+fOU/cU+guO3jj656RhIoZZUTULW9o DK51h0x4pP9zfLHVSpA+pxH3HPyKBt5XiWdqm+Qxo9ySa/Vo8bX1hP3Qd7Sw4mItgOaV uyupFlGemKMsqnKUVebp5IyyYol279ZT2a1SXnQAjxng9KPgoj9pgu4+91Rw5bj/Vjdz 4VaDrIQNNTyHkXai6d87gOcbQNffCUu1fhavazMq0z2PhZ5P8qlDJ7fJQhGQExceStca rxsfJQxLfkaxTiBJWCCK4ESW5Cu2tjN3vp+bAPmcFxpbAZHzcajgd97FXYT5rnSnpWGt ZNLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qxMxstGIbPVZ8QVipkgAGfsdWIIQHnlpSxYnHq/FX9A=; b=BAJK2nsF+p/SlKw0IMvSLczMUTcu2Jw/0SK06shPKAlZZ3V2/QvVHk82tLeEk5HPQ1 jzNjg9cL0YuR91905/Eq7+5mvRuLUT0fQSRoaxAnIWIW1ccOy4xR7B7VZ3IzBRjX6A1V 8BpW+Axw4o4KJxZIsNiEJ137WNrBeqUVHRu5ZtTEwlT3qmyXEGdeAU4khDHJA+aQHa1D yaAQ4Aln4d9DSTCkGA8h2CPpIHvVV9NuoxxnCSXmFyz3NN8XEl0M3/IPxLFJVf4l/KYg 55p5i/s/kZfFJhUYRB7TZWu0oHEFBgbzuQcX0Vcpg5aBRKWfBfc/et5Vp6FJD5p8mo0B tQDQ==
X-Gm-Message-State: AODbwcBv+3Tjd1gL16DsNnOw2bBSQDz8hhkR9qgLa1ngRKxXUTZ4T7En GDFxuO3G6dnSGsAax4EUU3aZoliHIoKa2lk=
X-Received: by 10.107.6.27 with SMTP id 27mr23657527iog.53.1495480137083; Mon, 22 May 2017 12:08:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.35.37 with HTTP; Mon, 22 May 2017 12:08:36 -0700 (PDT)
In-Reply-To: <E6BC9BBCBCACC246846FC685F9FF41EA2AE094F0@DGGEMM506-MBX.china.huawei.com>
References: <E6BC9BBCBCACC246846FC685F9FF41EA2AE094F0@DGGEMM506-MBX.china.huawei.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 22 May 2017 12:08:36 -0700
Message-ID: <CAAP42hBSj3_B48SN3VmQR2Z8qa2Nzpo7wL8FPr18TvmmeLWoyw@mail.gmail.com>
To: wangzitao <wangzitao@huawei.com>
Cc: "ops-dir@ietf.org" <ops-dir@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "draft-ietf-oauth-native-apps.all@ietf.org" <draft-ietf-oauth-native-apps.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="001a113ee7d25754640550219a2a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oNpcnvTsoY-lexQkUKxJ-713Cd0>
Subject: Re: [OAUTH-WG] [OPS-DIR] Opsdir telechat review of draft-ietf-oauth-native-apps-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 19:09:01 -0000
Thanks for your review Zitao! Version 12 addresses your comments. Detailed responses below: On Sun, May 21, 2017 at 8:05 PM, wangzitao <wangzitao@huawei.com> wrote: > Reviewer: Zitao Wang (Michael) > > Review result: Has Nits > > > > I have reviewed this document as part of the Operational > directorate’s ongoing effort to review all IETF documents being processed > by the IESG. These comments were written with the intent of improving the > operational aspects of the IETF drafts. Comments that are not addressed in > last call may be included in AD reviews during the IESG review. Document > editors and WG chairs should treat these comments just like any other last > call comments. > > > > Document reviewed: draft-ietf-oauth-native-apps-10 > > > > Summary: > > > > OAuth 2.0 authorization requests from native apps should only be made > > through external user-agents, primarily the user’s browser. This > > specification details the security and usability reasons why this is > > the case, and how native apps and authorization servers can implement > > this best practice. > > > > I think the document is written very clear, except some small nits: > > Page 3: The last sentence of introduction-- “This practice is also > known as the AppAuth pattern”. > > I suggest adding a reference to explain the AppAuth pattern. > > Done > Page 3: Terminology -- "OAuth". > > I suggest modifying to: "OAuth" The Web Authorization (OAuth) protocol. > In this document, OAuth refers to OAuth 2.0 [RFC6749]. > I went with: "In this document, OAuth refers to the OAuth 2.0 Authorization Framework [RFC6749]." The phrase "Web Authorization (OAuth) protocol" only seems to appear in our WG Charter, and not general usage <https://www.google.com/search?q=web+authorization+protocol>. > Page 4: Terminology -- "web-view" A web browser UI component. > > Does it mean "User Information"? Suggest expanding this abbreviation. > > Done. > Page 5: Figure 1. Does the browser and authorization endpoint are > some kinds of "external user-agent"? Suggest describing it more clearly. > Now states: "illustrates the interaction of the native app with a browser external user-agent to authorize the user. " Page 9: PKCE [RFC7636] details how this limitation can be used to > execute a code interception attack (see Figure 1). > > Does the Figure 1 means “Figure 1 of RFC7636”? > Good catch. I delete the figure reference, since the entire spec talks about this attack, which is likely sufficient. > > Page10: However, as the Implicit Flow cannot be protected by PKCE > > Seems here, the reference be omitted. > Added. > A run of idnits revealed no errors, flaws. There were 1 warning and 1 comments though > > > > == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the > > document. > > > > I ran it myself with verbose output, and got: tmp/draft-ietf-oauth-native-apps__1_.txt(435): Found possible FQDN 'com.example.app' in position 5; this doesn't match RFC 2606's suggested ".example" or ".example.(com|org|net)". We are actually using a RFC2606 domain name here, but in reverse domain name notation which is causing this warning. No changes required. > Miscellaneous warnings: > > ---------------------------------------------------------------------------- > > > > -- The document date (April 26, 2017) is 14 days in the past. Is this > > intentional? > > > > > > Checking references for intended status: Best Current Practice > > ---------------------------------------------------------------------------- > > > > (See RFCs 3967 and 4897 for information about using normative references > > to lower-maturity documents in RFCs) > > > > No issues found here. > > > > Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). > > > > > > _______________________________________________ > > OPS-DIR mailing list > > OPS-DIR@ietf.org > > https://www.ietf.org/mailman/listinfo/ops-dir > > >
- [OAUTH-WG] [OPS-DIR] Opsdir telechat review of dr… wangzitao
- Re: [OAUTH-WG] [OPS-DIR] Opsdir telechat review o… William Denniss
- Re: [OAUTH-WG] [OPS-DIR] Opsdir telechat review o… wangzitao