Re: [Ace] WGLC for draft-ietf-ace-oauth-params

Mon, 29 Oct 2018 07:45:29 -0700 

On 24/10/2018 22:49, Mike Jones wrote:
3.1, 3.2, and 4.1, parameter definitions: None of these parameter definitions specify the syntax of the parameters defined, making understanding these quite confusing.  Yes, this is talked about later in the doc but there are not even forward references to where the definitions are completed in most cases.  Please fully specify the parameters when they are defined. 


3.1 req_aud: Doesn’t this duplicate the “resource” parameter defined by 
https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01?  If 
so, please delete this parameter.  If not, say how it is different and 
why the differences are necessary.



5 cnf in the introspection response: Which token is being referred to by 
the phrase “bound to the token”.  The access token?  The refresh token?  
Another kind of token?  Please make this more specific.



6 CBOR Mappings.  The table contains the magic numbers 8, 17, 18, and 
19.  From what space are these numbers being allocated and what registry 
are they in?  Per my earlier reviews of the ace-authz spec, I believe 
that the ACE OAuth parameters should all be registered in the CWT Claims 
registry because of the possibility of them being used in signed 
requests in a manner analogous to 
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17.  The parameters 
need to be registered to avoid claim number conflicts.



Missing Examples:  The best thing you could do to help developers 
understand what these values are and how they use them is to add 
examples, just as was done in RFC 7800.  Please add examples of each of 
the parameters using the JSON representations of them.  Optionally, also 
add CBOR examples if you believe that they will convey important 
information to developers that the JSON example’s don’t.


                                                           Thank you,

                                                           -- Mike


Hello Mike,

thank you for your review. I've added issues to the tracker here:
https://github.com/ace-wg/ace-oauth-params
and will address your comments.

/Ludwig

--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace






















					Reply via email to