Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06
Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 15 April 2013 20:09 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7EBB21F93C6 for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 13:09:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zo7bGbjLmZ6c for <oauth@ietfa.amsl.com>; Mon, 15 Apr 2013 13:09:54 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.94]) by ietfa.amsl.com (Postfix) with ESMTP id ABD4321F9361 for <oauth@ietf.org>; Mon, 15 Apr 2013 13:09:53 -0700 (PDT)
Received: from [79.253.61.122] (helo=[192.168.71.20]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1URpip-0002Um-Ms; Mon, 15 Apr 2013 22:09:51 +0200
Message-ID: <516C5E8F.1020807@lodderstedt.net>
Date: Mon, 15 Apr 2013 22:09:51 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <51644F9A.9040402@cs.tcd.ie>
In-Reply-To: <51644F9A.9040402@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="------------010302010605060704010809"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-revocation-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 20:09:55 -0000
Hi Stephen, I just posted a new revision of the draft (http://tools.ietf.org/html/draft-ietf-oauth-revocation-07). I tried to address all the issues you raised (see below). Am 09.04.2013 19:27, schrieb Stephen Farrell: > Hi, > > I've done my AD review of this draft. I have two quick questions > I'd like to get answered before I start IETF LC. Depending on the > answers maybe we should re-spin or just fire ahead, let's see... > > (1) 2.1: "upon the return of the request" isn't right is it? I > think you mean the response at least. adjusted wording to "upon receipt of an HTTP 200 response from the server" > And what about HTTP error > handling? What if I get a 503 error? Is the client supposed > to re-send ever? Don't you need to say? Added: If the server responds with HTTP status code 503, the client must assume the token still exists and may retry after a reasonable delay. The server may include a "Retry-After" header in the response to indicate how long the service is expected to be unavailable to the requesting client. > > (2) 2.2: what's in the response body with a 200 response? If it > doesn't matter please say so. Added: The content of the response body does not matter as all information is conveyed in the response code. > > I see from the write-up one author hasn't confirmed there are > no IPR issues. I've sent a Marius a mail so hopefully we > can sort that as we go. > > I also have the following nits that can be fixed (if need > be) whenever the draft is next changed: > > - intro: "app" isn't really a great term to use, can you replace > with something from 6479. Assuming you meant 6749 I changed it to "application" > > - section 2: the "MAY include a query component" is sort of > dangling there, maybe it'd be better moved elsewhere? As Justin pointed out, the place is ok. I tried to improve wording a bit. "The client requests the revocation of a particular token by making an HTTP POST request to the token revocation endpoint URL. This URL MAY include a query component." > > - section 2: "MUST be obtained from a trustworthy source." might > generate comment from IESG members who don't like using 2119 > terms in ways that don't affect interoperability. (I'm fine with > it fwiw, and have nearly cured 'em of that craze;-) Consider > s/MUST/need to/ here. done > > - 2.1: ought there be a registry for token_type_hint values? It > looks like maybe there ought be. Added registry in Section 5.1.2 > > - 2.1: "A client compliant with [RFC6749] must be prepared" was > that meant to be a 2119 MUST? yep, changed it. > > - section 6: maybe s/shall/need to/ in the last para done regards, Torsten. > > Cheers, > S. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] AD review of draft-ietf-oauth-revocati… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-revo… Stephen Farrell