My thoughts inline On Sun, Oct 1, 2017 at 11:35 AM, Hannes Tschofenig < [email protected]> wrote:
> [chair hat off] > > Hi all, > > I believe there are a few changes necessary for > draft-ietf-ace-oauth-authz in order to complete it and I am wondering > what the rest of the group thinks. > > 1) We have seen various contributions that want to use the ACE framework > for protocols other than CoAP. Still, the framework document focuses on > CoAP. I believe we should make it more generic by saying that there are > profiles using CoAP and others that don't. There shouldn't be anything > wrong with it. > Agree, but I think it is good if we can have examples in some way and CoAP is a well known option that people are familiar with. > > 2) There are various references to OSCOAP in the document and I believe > they are misleading since the framework does not depend on nor even use > OSCOAP. > The references (I can find two) to OSCOAP are informal and uses OSCOAP as an object security example. I don´t think this is a big issue but I´m okay with removing these references too. However I do think examples improves readability. > > 3) The "Client Token" is somewhat experimental and not on par with the > rest of the document in terms of maturity and alignment with OAuth. I > would prefer this functionality to be covered in a separate document, if > someone still cares about it. While OAuth has seen a lot of formal > analysis this feature obviously hasn't. It should be clear from the > description that it is underspecified and currently insecure. For > example, it is not clear how the AS determines freshness of the > authentication request. > Agree, I think client token should be split out to a separate document so that the framework can proceed. > > Thoughts? > > Ciao > Hannes > > _______________________________________________ > Ace mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ace >
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
