[apps-discuss] Appsdir review of draft-ietf-oauth-v2-23
ht@inf.ed.ac.uk (Henry S. Thompson) Tue, 07 February 2012 17:31 UTC
Return-Path: <ht@inf.ed.ac.uk>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9442421F888C; Tue, 7 Feb 2012 09:31:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NywJqaOM2DgN; Tue, 7 Feb 2012 09:31:08 -0800 (PST)
Received: from nougat.ucs.ed.ac.uk (nougat.ucs.ed.ac.uk [129.215.13.205]) by ietfa.amsl.com (Postfix) with ESMTP id 5029721F8882; Tue, 7 Feb 2012 09:31:07 -0800 (PST)
Received: from nutty.inf.ed.ac.uk (nutty.inf.ed.ac.uk [129.215.33.33]) by nougat.ucs.ed.ac.uk (8.13.8/8.13.4) with ESMTP id q17HUds4013044; Tue, 7 Feb 2012 17:30:44 GMT
Received: from calexico.inf.ed.ac.uk (calexico.inf.ed.ac.uk [129.215.24.15]) by nutty.inf.ed.ac.uk (8.13.8/8.13.8) with ESMTP id q17HUc4j007695; Tue, 7 Feb 2012 17:30:38 GMT
Received: from calexico.inf.ed.ac.uk (localhost [127.0.0.1]) by calexico.inf.ed.ac.uk (8.14.4/8.14.4) with ESMTP id q17HUc1B020959; Tue, 7 Feb 2012 17:30:38 GMT
Received: (from ht@localhost) by calexico.inf.ed.ac.uk (8.14.4/8.14.4/Submit) id q17HUbak020955; Tue, 7 Feb 2012 17:30:37 GMT
X-Authentication-Warning: calexico.inf.ed.ac.uk: ht set sender to ht@inf.ed.ac.uk using -f
To: apps-discuss@ietf.org, barryleiba@gmail.com, dick.hardt@gmail.com, dr@fb.com, eran@hueniverse.com, hannes.tschofenig@gmx.net, stephen.farrell@cs.tcd.ie
From: ht@inf.ed.ac.uk
Date: Tue, 07 Feb 2012 17:30:37 +0000
Message-ID: <f5bfwemh7pe.fsf@calexico.inf.ed.ac.uk>
User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.21 (linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Edinburgh-Scanned: at nougat.ucs.ed.ac.uk with MIMEDefang 2.60, Sophie, Sophos Anti-Virus, Clam AntiVirus
X-Scanned-By: MIMEDefang 2.60 on 129.215.13.205
X-Mailman-Approved-At: Tue, 07 Feb 2012 09:34:04 -0800
Cc: iesg@ietf.org
Subject: [apps-discuss] Appsdir review of draft-ietf-oauth-v2-23
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2012 17:31:09 -0000
I have been selected as the Applications Area Directorate reviewer for this draft (for background on appsdir, please see http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate). Please resolve these comments along with any other Last Call comments you may receive. Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: draft-ietf-oauth-v2-23 Title: The OAuth 2.0 Authorization Protocol Reviewer: Henry S. Thompson Review Date: 2012-02-07 IETF Last Call Date: 2012-01-24 Summary: This draft is almost ready for publication as an Proposed Standard but has a few issues that should be fixed before publication [Note - My expertise is in the areas of markup and architecture, with only the average geek's understanding of security and cryptographic technologies. Any comments below on security issues are therefore of the nature of general audience concerns, rather than technical worries.] Major Issues: 3.1.2.1 The failure to require TLS here is worrying. At the very least I would expect a requirement that clients which do _not_ require TLS MUST provide significant user feedback calling attention to this -- by analogy, absence of a padlock does _not_ suffice. . . 2.1.2.5 In a somewhat parallel case, I would expect this section to at least explain why the SHOULD NOT is not a MUST NOT. Since in practice the distinction between trusted and untrusted 3rd-party scripting is difficult if not impossible to draw, as written the 2nd para is effectively overriden by the third. 11 It seems at best old-fashioned that the designer of a new access token type, parameter, endpoint response type or extension error has no better tool available than Google to help him/her discover whether the name they have in mind is in use already. The same is true under the proposed approach for any developer trying to determine what they can use or must support. Is there some reason that mandated URI templates, after the fashion of http://www.iana.org/assignments/media-types/text/... are not mandated for the registries, e.g. http://www.iana.org/assignments/access-token-types/bearer ? If there is a good reason, please use it to at least explicitly acknowledge and justify the basis for failing to provide a way for users and developers to use the "follow your nose" strategy [1]. If there is no good reason, please include the appropriate language to require something along the lines suggested above. If you need a model, see [2]. Minor Issues: A short summary of the changes from OAuth 1.0/RFC5849 would have been helpful, and it might still be a good idea to add one. . . 4.1 Would it be helpful to indicate that steps D&E may occur at any time after C, and may be repeated subsequently? 11.1 It might be useful to have an 11.1.2, which repeats references to the bearer and mac access token type registration drafts? Nits: Apostrophes are missing in a few places in the text ("end-user s", "OAuth s"), presumably because a non-standard character encoding was used by one of the editors. 9 The bulleted list after "When choosing between an external or embedded user-agent, developers should consider:" contains several grammatical errors, e.g. "External user-agents. . . It" and "Embedded user-agents educate end-user" . . . ht [1] http://www.w3.org/2001/tag/doc/selfDescribingDocuments.html [2] http://www.w3.org/2005/04/xpointer-schemes/ -- Henry S. Thompson, School of Informatics, University of Edinburgh 10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440 Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk URL: http://www.ltg.ed.ac.uk/~ht/ [mail from me _always_ has a .sig like this -- mail without it is forged spam]
- [apps-discuss] Appsdir review of draft-ietf-oauth… Henry S. Thompson
- Re: [apps-discuss] [OAUTH-WG] FW: Appsdir review … Henry S. Thompson
- Re: [apps-discuss] [OAUTH-WG] FW: Appsdir review … Eran Hammer
- Re: [apps-discuss] Appsdir review of draft-ietf-o… Eran Hammer
- Re: [apps-discuss] [OAUTH-WG] FW: Appsdir review … Barry Leiba
- Re: [apps-discuss] [OAUTH-WG] FW: Appsdir review … Henry S. Thompson
- Re: [apps-discuss] [OAUTH-WG] FW: Appsdir review … Barry Leiba
- Re: [apps-discuss] [OAUTH-WG] FW: Appsdir review … Henry S. Thompson
- Re: [apps-discuss] [OAUTH-WG] FW: Appsdir review … Barry Leiba
- Re: [apps-discuss] [OAUTH-WG] FW: Appsdir review … Henry S. Thompson
- Re: [apps-discuss] Appsdir review of draft-ietf-o… Henry S. Thompson