Re: [OAUTH-WG] Partial set of last call comments on OAuth draft 20 from Yaron Goland
Anthony Nadalin <tonynad@microsoft.com> Thu, 18 August 2011 16:58 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B57421F8B3B for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 09:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.467
X-Spam-Level:
X-Spam-Status: No, score=-7.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BimrLYnpdwWH for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 09:58:21 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 9605621F8B34 for <oauth@ietf.org>; Thu, 18 Aug 2011 09:58:21 -0700 (PDT)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (157.54.86.9) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 18 Aug 2011 09:59:16 -0700
Received: from ch1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.1.323.7; Thu, 18 Aug 2011 09:59:15 -0700
Received: from mail137-ch1-R.bigfish.com (216.32.181.172) by CH1EHSOBE015.bigfish.com (10.43.70.65) with Microsoft SMTP Server id 14.1.225.22; Thu, 18 Aug 2011 16:59:14 +0000
Received: from mail137-ch1 (localhost.localdomain [127.0.0.1]) by mail137-ch1-R.bigfish.com (Postfix) with ESMTP id CCB23430429 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 18 Aug 2011 16:59:14 +0000 (UTC)
X-SpamScore: -25
X-BigFish: PS-25(zz9371K542Mzz1202h1082kzz1033IL8275dhz31h2a8h668h839h944h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:207.46.4.139; KIP:(null); UIP:(null); IPV:SKI; H:SN2PRD0302HT011.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail137-ch1: transitioning domain of microsoft.com does not designate 207.46.4.139 as permitted sender) client-ip=207.46.4.139; envelope-from=tonynad@microsoft.com; helo=SN2PRD0302HT011.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail137-ch1 (localhost.localdomain [127.0.0.1]) by mail137-ch1 (MessageSwitch) id 1313686727419252_27615; Thu, 18 Aug 2011 16:58:47 +0000 (UTC)
Received: from CH1EHSMHS005.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.249]) by mail137-ch1.bigfish.com (Postfix) with ESMTP id 080B3AC81FC; Thu, 18 Aug 2011 16:58:13 +0000 (UTC)
Received: from SN2PRD0302HT011.namprd03.prod.outlook.com (207.46.4.139) by CH1EHSMHS005.bigfish.com (10.43.70.5) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 18 Aug 2011 16:58:12 +0000
Received: from SN2PRD0302MB137.namprd03.prod.outlook.com ([169.254.2.234]) by SN2PRD0302HT011.namprd03.prod.outlook.com ([10.27.90.157]) with mapi id 14.01.0225.064; Thu, 18 Aug 2011 16:58:11 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "Lodderstedt, Torsten" <t.lodderstedt@telekom.de>, Eran Hammer-Lahav <eran@hueniverse.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Partial set of last call comments on OAuth draft 20 from Yaron Goland
Thread-Index: AcxXpdCrqvPON2CRS72O2K03CR90kwDcgn2QAJkH2nAAEvp9YA==
Date: Thu, 18 Aug 2011 16:58:10 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E7263DAE45@SN2PRD0302MB137.namprd03.prod.outlook.com>
References: <4E1F6AAD24975D4BA5B16804296739434A80B587@TK5EX14MBXC201.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72345028F2D75E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <63366D5A116E514AA4A9872D3C533539570852FDCA@QEO40072.de.t-online.corp>
In-Reply-To: <63366D5A116E514AA4A9872D3C533539570852FDCA@QEO40072.de.t-online.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.42.119.173]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: SN2PRD0302HT011.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%TELEKOM.DE$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%HUENIVERSE.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com
Subject: Re: [OAUTH-WG] Partial set of last call comments on OAuth draft 20 from Yaron Goland
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 16:58:22 -0000
Agree, against the removal of text -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Lodderstedt, Torsten Sent: Thursday, August 18, 2011 1:01 AM To: Eran Hammer-Lahav; oauth@ietf.org Subject: Re: [OAUTH-WG] Partial set of last call comments on OAuth draft 20 from Yaron Goland >> 1.4.3. Resource Owner Password Credentials: Comment on "(when >> combined with a refresh token)": "This is the first time that refresh >> tokens are mentioned in the spec. And yet there is no explanation of what they are. >> I suspect they should anyway be introduced in section 1.4.1 (as >> previously >> noted) and then their use here will make sense. If that isn't >> possible then it would be good to have a forward reference to section >> 1.5 below so the reader has some idea of what's going on." >I removed '(when combined with a refresh token)'. This is actually not true as there is no assumption that >access tokens are always short-lived or that refresh tokens will always be issued to native applications using >this grant type. -1 against removing this text (w/o an suitable replacement) and w/o group consent. The -20 text clearly points out that this combination "... eliminates the need for the client to store the resource owner credentials for future use". The resource owner grant type alone does not justify this statement. It's true that the spec does not explicitly defines the lifetime assumption for access and refresh tokens (which is pity in my opinion). So at least add something like "if the token lifetime is reasonable long enough". regards, Torsten. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Partial set of last call comments on O… Mike Jones
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Anthony Nadalin
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Anthony Nadalin
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Lodderstedt, Torsten
- Re: [OAUTH-WG] Partial set of last call comments … Anthony Nadalin
- Re: [OAUTH-WG] Partial set of last call comments … Igor Faynberg
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Barry Leiba