On 2016-10-18 10:34, Cigdem Sengul wrote:
Hello Ludwig,Thanks for adding the new sections on requirements on profiles and the examples in the appendix are quite useful too. I list minor typos and request for clarification/consistency below. Hope it helps.
[...] Hello Cigdem,thank you very much for your review. I have addressed your issues in the draft and provided answers inline for your convenience.
Regards, Ludwig
Requests for clarification: ==================== Page 6/Access Token: "The access token is protected against modifications using a MAC or a digital signature, which is added by the AS” Question: Are access tokens also confidentiality protected e.g., encrypted by the AS, to be consumed by RS?
It depends on the encoding of the token, with CWT you indeed have the possibility to encrypt the token.
Added text to clarify this. https://github.com/LudwigSeitz/ace-oauth/issues/62
Correct. Clarified this in section 7.4. and added a reference to this section in section 4.Page 11/Section 4/Token Introspection Response: "The AS can additionally return information that the RS needs to pass on to the client in the form of a client token. The latter is used to establish keys for mutual authentication between client and RS, when the client has no direct connectivity to the AS.” Question: The client still should have had an initial connectivity to the AS, and has acquired an initial access token, right? This seems to be what is described in Page 24.
https://github.com/LudwigSeitz/ace-oauth/issues/63
The client_id and client_secret parameters can be used with any grant as specified in section 2.3.1. of the OAuth 2.0 RFC. This is indeed intended to be a client_credentials grant_type.Page 15/Figure 4: Question: Is the grant_type in this example “client_credentials” or “password”?
Do not confuse this with the "password" parameter of the resource owner password credentials grant. https://github.com/LudwigSeitz/ace-oauth/issues/64
Page 17/Figure 5: Question: Shouldn’t the example contain the “profile” parameter, which was “REQUIRED” in the response in the previous paragraphs.
Right, that was an oversight. https://github.com/LudwigSeitz/ace-oauth/issues/65
Added a clarification as to how the confirmation parameter is used in section 6.4.5.Page 19/20/CoSE_Encrypted: Question: Is this confirmation parameter used when passing the key to the client as a response to POST to /token? Or is it used when passing client token through RS? From Page 24, it seems to be former.
https://github.com/LudwigSeitz/ace-oauth/issues/66
Page 27/Section 8.1: "Profiles of this framework MAY define other methods for token transport. Implementations conforming to this framework MUST implement this method of token transportation.” Question: Do you mean “this framework” or “this draft”. Just want to be absolutely sure, that profiles MAY define other methods for token transport.
Added a clarification in the terminology section. https://github.com/LudwigSeitz/ace-oauth/issues/67
Page 28/Section 9: "Using a single shared secret with multiple authorization server “ Question: There is a type here. “Server” should be “servers” but shouldn’t this be “Resource servers”?
Yes are right, that was a textual error. https://github.com/LudwigSeitz/ace-oauth/issues/68
Page 44/Appendix B: “Resource Server” Question: Is introspection option excluded here deliberately? “ The sentence: "Optionally: Check that the matching tokens are still valid (if this is possible.)” Is this the hint for the introspection?
No it is not, this was a simple oversight. https://github.com/LudwigSeitz/ace-oauth/issues/69 -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park, Building Beta 2 Scheelevägen 17, SE-223 70 Lund Phone +46(0)70-349 92 51The RISE institutes SP, Swedish ICT and Innventia are merging in order to create a unified institute sector and become a stronger innovation partner for businesses and society. At the end of the year we will change our name to RISE. Read more at www.ri.se/en/about-rise
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
