IETF Logo Mail Archive

[GNAP] AD review of draft-ietf-gnap-core-protocol-15

Roman Danyliw <rdd@cert.org> Wed, 06 September 2023 22:23 UTC

Return-Path: <rdd@cert.org>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C5F4C14CE24 for <txauth@ietfa.amsl.com>; Wed, 6 Sep 2023 15:23:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OCHlIw7zla-e for <txauth@ietfa.amsl.com>; Wed, 6 Sep 2023 15:23:23 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0093.outbound.protection.office365.us [23.103.209.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82C04C151992 for <txauth@ietf.org>; Wed, 6 Sep 2023 15:23:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ZDx/uv7YxvBfkX33Yep887pFLf8V0WmNvj09OKj0dGDOHT4pi4pGZUWkI0A8Ili7Hf+7HmdUyv1PT0cvox6itE36NEsQtd1pDQIwt1H1oUS1fI0eUb6KsuS1FkeOgMi1Itm9uSrUJKHQAHPk32j3n9Tx0bLuAEW3H4zRpgpJ+Ue3vtOx9nGq4YL1Va1KLLsTar8plVfZJ+Gg2e/q2vwIL0Ncc1IqQ5jBryKQyIy/ZXzqaSPWV7+LvGg2xlShW4hvIBEUbfzTJyHrUI243uq6e6NUKrCN8LDQUT3aeYQJ27kVxRRBqNsKiyoJfhIyxbNyf/Wv4IR863jhnGgdska7kA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bNLvFzTTEdM3ICHck8o3uj2N3Kf79DUpHCyZPPcPfsM=; b=G3kBiyOUJn9amdXzizXlLOR8euO62Qo+4nTDbBfqDUUxmup431SgdOAAaDMR6e+5nJhXzI7QfJIsJu9sah535fHyYJql2NaYrjMELMpG8SyKwhk5QvYT2R/KvaLQEL8mippNvOpayTOz7M4M3fbiyERPiwKVOwRsys1ghvEnoP6djmiPN8XeygyYOIH86J0b15IISAx4HyLPAnXXEIekvVsYmAY984aw4jzpFKMEEvmyrEGelTReuQ7MIR83zgLqHzfzKZ/+RQ7Zl7WPwrkktD0QnrzdSmEQ+pwL+vK+ivt+iR4rNNP66AFtLZAfLChMxeNcRssNUNkFSvUBTM0HCA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bNLvFzTTEdM3ICHck8o3uj2N3Kf79DUpHCyZPPcPfsM=; b=kAkf9SHOSLJmyOp+F9dVidQkM6h6rz7JMdrEd7XR1tml7sh5rVYsNzHLyeiCqW2GbiUXh0Q8jW4uL1bwIdseylo9ISJEA8tme93K/l1HHTsC57F75kEWaoxFBdSz9r/G6WYuxqD8pDc+DJsNyleLGiggVBmT5VJez57rMEsdZFs=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1656.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17e::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.34; Wed, 6 Sep 2023 22:23:21 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::a75:1fb:d689:ea09]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::a75:1fb:d689:ea09%5]) with mapi id 15.20.6745.030; Wed, 6 Sep 2023 22:23:21 +0000
From: Roman Danyliw <rdd@cert.org>
To: "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: AD review of draft-ietf-gnap-core-protocol-15
Thread-Index: AdnhEGaZz7I/z31LSuKdCt/5BASAXw==
Date: Wed, 06 Sep 2023 22:23:20 +0000
Message-ID: <BN2P110MB1107AE91B428DE2FEAC1C378DCEFA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1656:EE_
x-ms-office365-filtering-correlation-id: af3d927f-a19f-4858-afe2-08dbaf27e09a
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: j8Bsw+DJfaUB7LdMGnCAtnqR6tVdle84Bk89gL9zLsJsP4a6tXvrm7TEqe/CIbtBjYQoGa3UBOUgFL4lcyhfzhes427IGOUVTfXGR/m7mDskbeGAQM6zIQj0CsbCWItOfADgzFIpSSrceGVdRS/j+9ERY58qysDZDSCWaWE8d59BLpU3n80lpWXYFtNp7MGOJL59/IflVTj3SgJxz6RMACZ32H0SIc7sEZartIf5lbhIqxWGZerjlsxu1piSybu85XThKEf8BrQKHdaJk2fWVWwy9cNPs3VL1GGRonGjzDoegEC7Dh7nZg4BffnfgciBRjtU/4D2FhayYoif3mgnrfRk7cgGB+mhYCa4B6BIS1u/y2A0e5zXii/69BxId3HkH3cuuIoQoDDYGaciX6SqyIliRmor1oo4nWwAAqGNKWTMZa8XOHK8tU6l9u6N95+R4OCYTmtPOW+B3RH5aJwwm9DKl6gEHVl0xm+Jev3NWrmAbwSWyUI4ieWgFwXR1N3Ie85ZmSFFToIMAo0YF5psgbxrLNuhPbekK0j7+lO3zV/tQcvDAhsNdGf+iDEkG8xu+irmA9VKUJWRw9dXLdd9+gK+/oau1SAlJHZj79mvOFk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(366004)(396003)(136003)(186009)(1800799009)(451199024)(8676002)(122000001)(71200400001)(6506007)(7696005)(9686003)(83380400001)(966005)(26005)(66574015)(30864003)(508600001)(4743002)(41320700001)(2906002)(6916009)(66476007)(66556008)(41300700001)(64756008)(52536014)(66446008)(66946007)(8936002)(76116006)(5660300002)(82960400001)(38070700005)(33656002)(86362001)(55016003)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WVY0xiUS2vnkl9OoxF2x1x5YuJJ3OGLjCRztHxxoLvmj5vI7mxALBX65GnbgjBzwUdqVx2oxylyKc6zd7bq5OVyd10Z85q0Ehu79zifZhgyrT5eC9+AE3coayQ0zCsOJpFwpoJC5tKjeADCnImnAn63FGS4C5szsc2vQKMrtApz1CStztP18vRZGMRFINLgOby6oENFuvaTOLVO6EpQYj2I+txOvif6zmmI2Bzz0YgFeDDqkq/5XQ1MdrTb/pLGHuW9JckhcBkuyInOgFNZxV1q9H0XiNlcSDkgzh4rCjxrEY4DQEySX8oqNfGvn5IEu4bdjze0mS1AaXHw5gE84DG4n4H3I+v0nK9iPQABOsIK7Ko4re8XrTIxtb1xew5bh+iX9i9PkRriQiY/JaIsZtreagQ+eG5BhgSeMAoArlZI=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: af3d927f-a19f-4858-afe2-08dbaf27e09a
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2023 22:23:20.9831 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1656
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/9Z-nHJsHEDhREiXFl1hDatizb7Q>
Subject: [GNAP] AD review of draft-ietf-gnap-core-protocol-15
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2023 22:23:28 -0000

Hi!

I performed an AD review of draft-ietf-gnap-core-protocol-15.  Congrats on getting this core deliverable out of the WG.  This took a tremendous amount of work.  I appreciate everyone's patience as I reviewed this document.  Below is my feedback and it contains no show-stopping protocol feedback.  The majority of it points to places where additional clarity and process would be helpful.


** Section 1.  Editorial.
   GNAP
   and OAuth 2.0 will likely exist in parallel for many deployments, and
   considerations have been taken to facilitate the mapping and
   transition from legacy systems to GNAP. Some examples of these can
   be found in Appendix C.5.

The example in Appendix C.5 appears be constructed around OAuth 2.0.  Is this text suggesting that OAuth is somehow a legacy protocol?  Please rephrase.

** Section 1.2.  Editorial
      The
      client is operated by the end user or it runs autonomously on
      behalf of a resource owner.

      Example: a client can be a mobile application, a web application,
      etc.

These examples seem like ones where there is a end-user.  What is an example of client which runs autonomously on behalf of the resource owner?

** Section 1.2.  Editorial.
Resource Server (RS):  server that provides operations on protected
Resources

“Provides operations” is difficult to parse.  How is this definition different than OAuth’s in RFC6749:

==[ snip ]==
      The server hosting the protected resources, capable of accepting
      and responding to protected resource requests using access tokens.
==[ snip ]==

** Section 1.3.  At the level of detail provided here, what is the difference between an “attribute” and “subject information”?  

** Section 1.4.  Editorial.
Client developers promise to implement
      requirements and generally some recommendations or best practices,
      so that the end users may confidently use their software.

Is that true?  Do developers of applications make such promises?

** Section 1.4
      However, end users might also be facing some attacker's client
      software, without even realizing it.

-- Editorial. s/also be facing some attacker’s/also be facing an attacker’s/

-- Isn’t the end user also equally exposed to incorrectly or poorly implemented clients

** Section 1.4
   *  end user/AS: when the client supports it (see Section 3.3), the
      end user gets to interact with front-channel URIs provided by the
      AS. 

-- Please define the concept of a “front channel URI”?

-- How does GNAP work is the end user doesn’t engage the AS? I ask because the text is written … “when the client support its …”, which would suggest a client at time when it does not.  What happens then?

** Section 1.4
   *  RS/RO: the RS promises it protects its resources from unauthorized
      access, and only accepts valid access tokens issued by a trusted
      AS.  In case tokens are key bound, proper validation is expected
      from the RS.

If this text is about the RO trusting the RS, none of the text here mentions the RO.

** Section 1.5.  Editorial.  Consider providing a forward reference for “continuation access token”?

** Section 2.3
   Both the display and class_id are self-declarative and thus the AS
   SHOULD exercise caution in their interpretation, taking them as a
   hint but not as absolute truth.

-- Is “self-declarative” the same as “free-form”?  Interoperability is not expected and it’s use requires further profiling?

-- Since SHOULD is used, when would the AS NOT exercise caution?

** Section 2.3.  Editorial.

The class_id field can be used in a
   variety of ways to help the a variety of ways to help the AS make
   sense of the particular context in which the client instance is
   operating.

s/can be used in a variety of ways to help the a variety of ways/can be used in a variety of ways to help/.

** Section 2.3
it SHOULD return an
   invalid_client error (Section 3.6) or choose to return lesser levels
   of privileges.

Given the significant flexibility afforded to the “class_id”, is there confidence returning a lesser level of privilege is a normative SHOULD?

** Section 2.3
   If the AS does not know the client instance's public
   key ahead of time, the AS MAY accept or reject the request based on
   AS policy, attestations within the client request, and other
   mechanisms.

Isn’t “AS policy” all encompassing and already covers “attestations within the client request and other mechanisms”?

** Section 2.3
   A client instance that is capable of talking to multiple AS's SHOULD
   use a different key for each AS to prevent a class of mix-up attacks
   as described in Section 13.30.

When would it be a prudent or necessary for the client to use the same key across ASs?  Put in another way, why this flexibility?

** Section 2.4.  Editorial.  Please provide an internal references to the format of “assertions”.

** Section 2.4.  Editorial.  Expand “IdP”.

** Section 2.5.  Editorial
   In this non-normative example, the client instance is indicating that
   it can redirect (Section 2.5.1.1) the end user to an arbitrary URI
   and can receive a redirect (Section 2.5.2.1) through a browser
   request.

   "interact": {
       "start": ["redirect"],
       "finish": {
           "method": "redirect",
           "uri": "https://client.example.net/return/123455",
           "nonce": "LKLTI25DK82FX4T4QFZC"
       }
   }

The example after this one explicitly mentions that this client cannot accept a redirect or push callback.  Isn’t push call back also not supported here?

** Section 2.5

   In this non-normative example, the client instance is indicating that
   it can display a user code (Section 2.5.1.3) and direct the end user
   to an arbitrary URI (Section 2.5.1.1) on a secondary device, but it
   cannot accept a redirect or push callback.

   "interact": {
       "start": ["redirect", "user_code"]
   }

Which part of this example suggests a secondary device?  The definition of “redirect” and “user_code” in Section 2.5.1.1 make no reference to a secondary device.

** Section 2.5

   If the client instance does not provide a suitable interaction
   mechanism, the AS cannot contact the RO asynchronously, and the AS
   determines that interaction is required, then the AS SHOULD return an
   invalid_interaction error (Section 3.6) since the client instance
   will be unable to complete the request without authorization.

The sending of an error message seems to be optional.  When is a silent failure acceptable?

** Section 2.5.2.  nonce.  Is there a minimal or recommended nonce size?

** Section 2.5.2.  Editorial.  s/the the/the/

** Section 2.5.2.1 and 2.5.2.2.

-- method=redirect says, “The client instance's URI MUST be protected by HTTPS, …”

-- method=push says, “The client instance's URI MUST be an HTTP URI and MUST be protected by HTTPS or equivalent”

What is the difference in intent?

What is envisioned with “equivalent”?  This phrase is used a few other times.

** Section 3.  Editorial. s/eg,/e.g.,/

** Section 3.1.  Editorial. s/an an/an/

** Section 3.3.4.  Please use one of the example domains instead of  “srv.ex”

** Section 3.5.  Is there any minimum guidance on the length of an instance_id?

** Section 4.
   The client instance MUST use each interaction method at most once.
   The AS SHOULD handle any interact request as a one-time-use mechanism
   and SHOULD apply suitable timeouts to any interaction start methods
   provided, including user codes and redirection URIs.  The client
   instance SHOULD apply suitable timeouts to any interaction finish
   method.

There is a nuance of the client instance being constrained to using an interaction only once (MUST) but the AS seemingly having some flexibility.  Could this be clarified?

** Section 4.1.
   If the client instance does not start an interaction start mode
   within an AS-determined amount of time, the AS SHOULD reject attempts
   to use the interaction start modes.

If the AS sets a policy that the interaction mode needs to occur in a determined amount of time, why wouldn’t the AS reject the start attempt?

** Section 4.1.2 and 3.3.3.  Could the text please be clearer on the permitted “alphabet” for the user code.

-- Section 3.3.3 says “To facilitate usability, this string MUST consist only of characters that can be easily typed by the end user (such as ASCII letters or numbers)”

-- Section 4.1.2 says “To facilitate this, it is RECOMMENDED that the AS use only ASCII letters and numbers as valid characters for the user code.”

The guidance in Section 3.3.3 seems subjective and doesn’t seem like it would lead to consistent implementations.

Same comments apply for Section 4.1.3.

** Section 4.1.2.
  As a
   consequence, these URIs SHOULD be short.

I understand the spirit of this guidance but “short” is subjective.  Please be more specific or use alternative language.

** Section 4.1.3.  Editorial.  Much of this guidance seems to be verbatim repetition of section 4.1.2.  Is that needed?

** Section 4.2.
   If a
   finish method is not available, the AS SHOULD instruct the RO to
   return to the client instance upon completion.

What is the alternative to this approach if a finish method is not available?

** Section 4.2.2.  Does the interact_ref share the same properties as the nonce defined in Section 2.5.2.  For example, is it an ASCII string?  Does it use the whole ASCII alphabet?

** Section 5.  Typo. s/contination/continuation/

** Section 5 and 9.1
   POST /continue/KSKUOMUKM HTTP/1.1
   Authorization: GNAP 80UPRY5NM33OMUKMKSKU
   Host: server.example.com
   Content-Length: 0
   Signature-Input: sig1=...
   Signature: sig1=...

This example (and a number of them later) appear to be showing a new “GNAP HTTP Authentication Scheme” (i.e., “Authorization: GNAP 80UPRY5NM33OMUKMKSKU”). Section 9.1 also references “responding with the WWW-Authenticate header field and a GNAP challenge.” 

Where is the GNAP authentication scheme formally described and registered? https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml has no such registration and there no IANA action in this document to add it.

** Section 5.4
   The AS SHOULD revoke all associated
   access tokens, if possible.  The AS SHOULD disable all token rotation
   and other token management functions on such access tokens, if
   possible.

Wouldn’t the use of SHOULD instead of MUST here present an issue.  If a client issues a “DELETE” for its access tokens with an AS how does it know that all of it’s tokens have been removed if this flexibility is provided?

** Section 6.1
   To rotate an access token, the client instance makes an HTTP POST to
   the token management URI with no message body, sending the access
   token in the appropriate header and signing the request with the
   appropriate key.

What is the “appropriate header” here?

** Section 6.1
   If the AS is unable or unwilling to rotate the value of the access
   token, the AS responds with an invalid_rotation error (Section 3.6).
   Upon receiving such an error, the client instance SHOULD consider the
   access token to not have changed its state.

Can the second sentence be clarified?  When would a rejection translate to state change?

** Section 7.3.  Typo. s/defines defines/defines/

** Section 7.3
   Key binding method definitions SHOULD
   enumerate how these requirements are fulfilled.

-- Is this guidance to the Designated Expert who is going to review future key binding methods?

-- If so, why would it be acceptable for a new key binding method NOT to explain how it fulfills its requirements?

** Section 7.3.1

   The signer
   SHOULD include the nonce parameter with a unique and unguessable
   value.  When included, the verifier MUST determine that the nonce
   value is unique within a reasonably short time period such as several
   minutes.

How does the verifier determine that the freshness of the nonce to a “short time period”?

** Section 8.  Should it be explicitly said that no interoperability across types?

** Section 8.  Typo. s/the the/the/

** Section 8.
  Specific API
   implementations SHOULD re-use these fields with the same semantics
   and syntax.

Why wouldn’t deviations from the semantics defined here require custom labels from being defined?

** Section 8.  locations.  If these strings aren’t URIs, how else would the RS location be defined?

** Section 8.

   The access requested for each object in the array is the cross-
   product of all fields of the object. 

Is this statement explaining the example or a general statement about interpreting each object in the array?

** Section 9.1
   The opaque access reference MUST be sufficient for at least
   the action the client instance was attempting to take at the RS and
   MAY be more powerful.

Could this guidance be clarified? How is this access reference have any “power” beyond being an identifier that needs to brought to the AS?

** Section 11.  It appears that all of the registries in Section 11.* have a mandatory column to reference the specification document.  Given that requirement, why is the registration policy not “Specification Required” which also includes “Expert Review”?  

** Section 11.  The OAuth registries (FWIW, all OAuth registries are specification required -- https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml.) were all very particular about having a change control column.  Do the circumstances that necessitated that apply to GNAP?

** Section 11.4.2.  Is citing Section 2.2 and 3.4 for id_token and saml2 the right approach?  Those two sections don’t seem to provide anything specific for those mechanisms? Why isn’t the specification document [OIDC] And [SAML2]?  

** Section 13.1

All requests in GNAP have to be made over TLS or equivalent as
   outlined in [BCP195]

“or equivalent” doesn’t mean anything relative to BCP195 which is scoped to (D)TLS.  What is meant by “equivalent”? 

** Section 13.1.

… and any
   back-end communications such as from an RS to an AS as described in
   [I-D.ietf-gnap-resource-servers]

It seems odd to provide normative requirements for another draft.

** Section 13.1.  Editorial.  This section seems to repeat itself a lot.

 (a)    All requests in GNAP have to be made over TLS or equivalent as
   outlined in [BCP195] to protect the contents of the request and
   response from manipulation and interception by an attacker.  This
   includes all requests from a client instance to the AS, all requests
   from the client instance to an RS, any requests back to a client
   instance such as the push-based interaction finish method, and any
   back-end communications such as from an RS to an AS as described in
   [I-D.ietf-gnap-resource-servers].  Additionally, all requests between
   a browser and other components, such as during redirect-based
   interaction, need to be made over TLS or use equivalent protection.

(b)    The use of key-bound access tokens does not negate the requirement
   for protecting calls to the RS with TLS.  

(c)    TLS or equivalent protection also needs to be used between the
   browser and any other components.  

The text in (a) seems helpfully clear that all GNAP communication regardless of the parties needs to be over TLS.  (b) and (c) seem to repeat that.

** Section 13.3.  Editorial.  Expand “SPAs”.

** Section 13.18.

   PKI has historically been difficult to deploy, especially at
   scale, but it remains an appropriate solution for systems where the
   required overhead is not an impediment.

Recommend against this statement without citation or being specific about client-oriented certificates.  Server certificates in the WebPKI, especially since ACME seems to going quite well.

** Section 13.23.  “… (in most cases over HTTP)”, should this be HTTPS?

** Section 13.24.  Typo. s/defence/defense/

** Section 13.24.  Typo. s/Prerequesits/Prerequisites/

** IDNITs reports:

  == Outdated reference: draft-ietf-httpbis-client-cert-field has been
     published as RFC 9440

v2.23.0 | Report a Bug | By Email