[GNAP] review of draft-ietf-gnap-resource-servers-05
Andrii Deinega <andrii.deinega@gmail.com> Tue, 30 April 2024 23:31 UTC
Return-Path: <andrii.deinega@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B1A2C14F6A0 for <txauth@ietfa.amsl.com>; Tue, 30 Apr 2024 16:31:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGxQWNMAKuDu for <txauth@ietfa.amsl.com>; Tue, 30 Apr 2024 16:31:05 -0700 (PDT)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17E70C17C8A9 for <txauth@ietf.org>; Tue, 30 Apr 2024 16:31:02 -0700 (PDT)
Received: by mail-il1-x136.google.com with SMTP id e9e14a558f8ab-36c67760b1aso571525ab.1 for <txauth@ietf.org>; Tue, 30 Apr 2024 16:31:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714519861; x=1715124661; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=yDwcwPpgIq/Gmo11ocFSqS0Y1UR+0pc5a8JMyaSgDuQ=; b=gnNRRBH2/HWX5KUTMMqq5n56t2uXH9H0pemYoeCUU9f3JjYqTbJPqwk+SpVEAaikYX 2LDEzM0SKcZXkt5SnW9Rsj/VXZBCfJ2qG5HmSC5PAwUYPiwFYfBlQPfsHdiXz5Onl9cA C3I0Tkj6r5pX24w4jL/1Y68XWxliU6JIArbnpjk8hhvBwv5XgJn8Utf7IzkiVMycp5W5 qEy2vjyIiQr4C9js0AolnuZz83YuoIm77QqPD81aVzgPegjZ0+Hd4q3GfYdMnh3AKdZv ptDMD6svjfDsl19jLZuajUgfHk1uMfi1+UJNoRanSleiZsVHXd6MYiidH1P+Z7KW+FqQ Paqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714519861; x=1715124661; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=yDwcwPpgIq/Gmo11ocFSqS0Y1UR+0pc5a8JMyaSgDuQ=; b=P2qNFLaRF6qvYj44S+UCOebS6N0UYeEv3kTCKrEbmELBd5xhGrApJV9/RHc5pig9Q0 upVmTSx3ycCEkx7RVYwIg9o4wohn57xgVTiWtQYDIVQZtkFsbNm4fTv8e1US7jSW1L9O ciPzxRIYlKBbvB5jw141z7YB6/T37uK2B0yFUB+rDfL65cZVtsvrM09TbX6tV+J0rSmI jw0fY4NFtIF0g4dr5yz9/PuQe0ZJiDyq7bXbdRRpgfcmETGLQIS5ZdJb2ZswrF9I6Ybp +o4ioI7ADzRxqhrh7afoxA5Og/CBp6YmC9/NcnAKmkC0qpcOHGVc1239ZZuTG/5ZeUkE Kv7w==
X-Gm-Message-State: AOJu0Yy2ln+HDbNI4IUrSUazCmxkHpIQJGM4dbEw7JBu6kAX3q9rhB3W 1LyoDSBriryKXjnVQGnOrp5skRuNRbD436DfKkI+JPgLCD6gQObdM7q1s520gfWq/XCJ/t6/mu9 UbpPAPo6mx+hm/lPBeBexE/hd0XZEaZ+6
X-Google-Smtp-Source: AGHT+IHobt90Ys2Impu/SYJODGsGdweC5fMjlsIP6txcvi67dTmVkEqbJNLkYkv/eg6YKCTkjkeyAjpryd648nwiNbI=
X-Received: by 2002:a05:6e02:20eb:b0:368:a724:f757 with SMTP id q11-20020a056e0220eb00b00368a724f757mr1311392ilv.6.1714519860619; Tue, 30 Apr 2024 16:31:00 -0700 (PDT)
MIME-Version: 1.0
From: Andrii Deinega <andrii.deinega@gmail.com>
Date: Tue, 30 Apr 2024 16:30:49 -0700
Message-ID: <CALkShcvqiCGeKUYDhMcboYKauxeiFgXkWx+Ezy-USWFf_fYK+A@mail.gmail.com>
To: GNAP Mailing List <txauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/j-hTHUywWR9Sgh5RfO8YwVsa_tA>
Subject: [GNAP] review of draft-ietf-gnap-resource-servers-05
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 23:31:10 -0000
Hello GNAP WG, I've reviewed this document and came up with these comments below. 1. in the abstract section my preference would be to have "GNAP defines a mechanism for delegating authorization to a piece of software, and conveying the results and artifacts of that delegation to the software." just like it's defined https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-20.html, right now it says "GNAP defines a mechanism for delegating authorization to a piece of software, and conveying that delegation to the software." 2. sentence "Additionally, this document defines a general-purpose model for access tokens, which can be used in structured, formatted access tokens or in the API." could be rephrased & simplified. What was the intent behind the "API"? Was it "an API-like mechanism like token introspection"? 3. "implementors" should be probably changed to "implementers". The same applies to the use of "implementor" in this as well as in the core spec. 4. sentence "This is not intended to be a universal or comprehensive list, but instead to provide guidance to implementors when developing data structures and associated systems across a GNAP deployment."" could be simplified to something like "This list is not universal nor comprehensive but rather serves as guidance for implementers in developing data structures and associated systems across a GNAP deployment." 5. sentence "In the case of an asymmetric algorithm, the model for the AS and RS need only contain the public key, while the client instance will also need to know the private key in order to present the token appropriately." could be simplified to "In the case of an asymmetric algorithm, the model for the AS and RS needs only to contain the public key, while the client instance will also need to know the private key in order to present the token appropriately." 6. sentence "The source of this key information can vary depending on circumstance and deployment" should be changed to "The source of this key information can vary depending on the circumstances and deployment." 7. section 7.3 should be called as "Caching Token Validation Result", not "Cacheing Token Validation Result". 8. I suggest changing "the access_token request" and "the access_token response" to "the access token request" and "the access token response" accordingly in all places. 9. Some examples of HTTP requests and responses do not include the Host HTTP header, as an example, the second example in section 3.3 (there are other similar places too). 10. "," in "is appropriate for the access indicated (if present)," should be removed or changed to "." (section 3.3) 11. The normative section refers to https://www.rfc-editor.org/rfc/rfc7519 for JWTs. However, it can also refer to https://www.rfc-editor.org/rfc/rfc9068 from Vittorio, and that, in my eyes, could be a little better fit. Mainly, because of the "typ" headers set explicitly to "at+jwt". 12. sentence "Expressed as a integer seconds from UNIX Epoch." should be probably changed to "Expressed as an integer number of seconds from the UNIX Epoch." in all places. All the best, Andrii
- Re: [GNAP] review of draft-ietf-gnap-resource-ser… Justin Richer
- [GNAP] review of draft-ietf-gnap-resource-servers… Andrii Deinega