On 24/10/2018 22:49, Mike Jones wrote:
3.1, 3.2, and 4.1, parameter definitions: None of these parameter
definitions specify the syntax of the parameters defined, making
understanding these quite confusing. Yes, this is talked about later in
the doc but there are not even forward references to where the
definitions are completed in most cases. Please fully specify the
parameters when they are defined.
3.1 req_aud: Doesn’t this duplicate the “resource” parameter defined by
https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01? If
so, please delete this parameter. If not, say how it is different and
why the differences are necessary.
5 cnf in the introspection response: Which token is being referred to by
the phrase “bound to the token”. The access token? The refresh token?
Another kind of token? Please make this more specific.
6 CBOR Mappings. The table contains the magic numbers 8, 17, 18, and
19. From what space are these numbers being allocated and what registry
are they in? Per my earlier reviews of the ace-authz spec, I believe
that the ACE OAuth parameters should all be registered in the CWT Claims
registry because of the possibility of them being used in signed
requests in a manner analogous to
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17. The parameters
need to be registered to avoid claim number conflicts.
Missing Examples: The best thing you could do to help developers
understand what these values are and how they use them is to add
examples, just as was done in RFC 7800. Please add examples of each of
the parameters using the JSON representations of them. Optionally, also
add CBOR examples if you believe that they will convey important
information to developers that the JSON example’s don’t.
Thank you,
-- Mike
Hello Mike,
thank you for your review. I've added issues to the tracker here:
https://github.com/ace-wg/ace-oauth-params
and will address your comments.
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace