Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf-oauth-token-exchange-17: (with COMMENT)
Brian Campbell <bcampbell@pingidentity.com> Sat, 06 July 2019 12:59 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E34ED1201A2 for <oauth@ietfa.amsl.com>; Sat, 6 Jul 2019 05:59:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJeYeHBaE3Oe for <oauth@ietfa.amsl.com>; Sat, 6 Jul 2019 05:59:57 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD21C120048 for <oauth@ietf.org>; Sat, 6 Jul 2019 05:59:56 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id g20so3735685ioc.12 for <oauth@ietf.org>; Sat, 06 Jul 2019 05:59:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/h0CSDMfrKNSBLGbBNt64d255e6fPGYsYwC1IrhGmNY=; b=ijuhoyeH4o0mUyPPGws2ffjdg10CAoXggSgRNdGJX8wMWShTbmRIRdE62LI6+Bd7JM OeJbcOjV97Z0rh1yZMTQyntQj1FfAJZSrZ1EaWnJQNZgxhPq39KY/gcuoSTXEQz900go 1PV3ObTJMtumKJvWEiglwwUJQfPtdjljxPSlM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/h0CSDMfrKNSBLGbBNt64d255e6fPGYsYwC1IrhGmNY=; b=QjJBd64cBpvbXgZzWi6fcGPm9Z4gzWQUmdRP4/56wW8Tklp6RSxJCFZnr+bsBaZQQ8 wnzs2hdk+3Wswk6lA7XB16/cpLYxuQEAzhukzNCPe7+qHtueK50tTqUeiYD3u+Dt3A2b /ofvxspQr31aIKN5No36PpDi1SW0VzJ+77YjOZlAZj5QZXjymBS6e4jd6b8NII//ZrxU c0APd8H5nd4d1Z8gqg5M/dpDpK5vMgPgfIKZuBgXK8L52moLJOn79DU9DpHem/hILT2f mirb7hYzeGqYBO69uQOG7Tz0U2ODKYGmBCPT8+FgYaNh6EN/oSeLwaJfoopBlV4zXYpW NfOw==
X-Gm-Message-State: APjAAAXbgxPJlksHcAm3/iq+eYku89TeOf0meYsjmYsmkhHsObB1ne8T Vi+NXgNV9dZ+i/VC8fusgRVWR1aX7uBUsIvrKgYMxOt2P9W7RdTA0c2XXGrDIuUKfY2XVSgecCz CUK5BWrgmeE10Ig==
X-Google-Smtp-Source: APXvYqzoklKXePlRNFBm4EpEHwudloxuc+CDtP09ySH/etpseRPqij3sXZpKx2TJUtyxU09NMOJ+PKr7T9OfWLbnT+Y=
X-Received: by 2002:a02:a07:: with SMTP id 7mr10389867jaw.65.1562417996097; Sat, 06 Jul 2019 05:59:56 -0700 (PDT)
MIME-Version: 1.0
References: <156238540273.21781.4146676340197499618.idtracker@ietfa.amsl.com>
In-Reply-To: <156238540273.21781.4146676340197499618.idtracker@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sat, 06 Jul 2019 08:59:30 -0400
Message-ID: <CA+k3eCR4HfiOusEfFsE-T7-PguvJMZr7_K-nGgm3F9y0593E+Q@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a60494058d02c947"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yeaZJTUkJgScRQdkIce_UJwq6TA>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf-oauth-token-exchange-17: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2019 13:00:00 -0000
Thanks Ben, I'll publish an -18 shortly with these suggestions. A bit more detail is inline below. On Fri, Jul 5, 2019 at 11:57 PM Benjamin Kaduk via Datatracker < noreply@ietf.org> wrote: > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I'm balloting Yes; this document is solid and well-written. Thanks! I do have a > few additional (largely editorial) suggestions and a question or two, > though. > > Section 2.1 > > The client makes a token exchange request to the token endpoint with > an extension grant type using the HTTP "POST" method and including > the following parameters using the "application/x-www-form- > urlencoded" format with a character encoding of UTF-8 in the HTTP > request entity-body as described in Appendix B of RFC6749 [RFC6749]. > > This is a really long sentence. I see how it got that way, and the RFC > Editor staff will probably have some thoughts on how to reword it, but > if you happen to have thoughts as well, feel free to have at it. > I had at it a little bit and broke it up into two sentences. > > Section 2.2.1 > > expires_in > RECOMMENDED. The validity lifetime, in seconds, of the token > issued by the authorization server. Oftentimes the client will > not have the inclination or capability to inspect the content of > the token and this parameter provides a consistent and token type > agnostic indication of how long the token can be expected to be > valid. For example, the value 1800 denotes that the token will > > nit: hyphenate "token-type-agnostic". > done > Section 4.4 > > Refresh my memory: did we already have a discussion about may_act as an > object vs. an array of objects? > Not to my recollection. I'm honestly not even sure what an array would mean for "may_act". Do you mean for "act"? I suppose an array of objects could be used as the value of "act" as a way to express a chain of delegation. However, the object with optional nesting seemed (to me) a more natural way to express it and has no overhead for the likely most common case of just a single actor. > > Section 5 > > I'd consider also mentioning/linking the OAuth 2.0 security > considerations -- the fact that the STS is colocated with the token > endpoint takes care of ensuring a lot of its security properties. > Makes sense. I'll add that. And refs to RFC6819 and draft-ietf-oauth-security-topics to round it out. > Section 7 > > It's common (but not required, since it will not be relevant upon > publication as an RFC) to note that the indicated values are reflected > in early allocations from the indicated IANA registries. In this case > I'd say "don't bother"... > Not bothering... > Appendix B > > Uh-oh, now we are up to five security ADs that have been around for this > document... > <sigh> an oversight on my part and unfortunate reminder about just how long this document has been in progress. I'll add Roman. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf-oau… Benjamin Kaduk via Datatracker
- Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf… Brian Campbell
- Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf… Benjamin Kaduk
- Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf… Brian Campbell
- Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf… Benjamin Kaduk
- Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf… Brian Campbell