Thank you Seitz for your detailed and quick reply. I agree with your replies (and thank you for the added information) and actions.
Regards -éric -----Original Message----- From: Seitz Ludwig <[email protected]> Date: Thursday, 25 March 2021 at 10:42 To: Eric Vyncke <[email protected]>, The IESG <[email protected]> Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: RE: [EXTERNAL] Éric Vyncke's No Objection on draft-ietf-ace-oauth-authz-38: (with COMMENT) Hello Éric, Thank you for your review. I plan to submit an update of the draft to address your comments (and others') by the end of the week. I have some comments inline. /Ludwig > -----Original Message----- > == COMMENTS == > > -- Section 3 -- > Should references/expansions be added for "HTTP/2, MQTT, BLE and QUIC" > ? Fixed > > -- Section 3.1 -- > Suggest to review the order of the definitions, notably popping up > "introspection" as it is used by most of the other terms. > Done > -- Section 4 -- > Mostly cosmetic, any reason why figure 1 is so far away from its mention in > §1 ? > I moved the figure and its explanations up in the section. The figure does not have a strong dependency on the text blocks that were moved down in the process. > In "ensure that its content cannot be modified, and if needed, that the > content is confidentiality protected", I wonder why the confidentiality is only > optional ? As far as I understand it, the possession of an access token grants > access to a ressource, so, it should be protected against sniffing. What did I > miss ? > Actually you also need the proof-of-possession key. If that is only referenced in the token, or if the token only contains the public key part of an asymmetric key pair you could get away with only integrity protecting an access token. > In "If the AS successfully processes the request from the client" may look > ambiguous because processing correctly (per protocol) an invalid credential is > also "successfully processed". Suggest to mention something about "positive > authentication" ;) > Fixed > -- Section 5 -- > As a non-English native speaker, I cannot see the verb in the second > proposition in "For IoT, it cannot be assumed that the client and RS are part > of a common key infrastructure, so the AS provisions credentials or > associated information to allow mutual authentication.". While I obviously > understand the meaning, could it be rephrased ? > Rephrased > -- Section 5.1.1 -- > Could the word "unprotected" be better defined in "received on an > unprotected channel" ? E.g., is it only about TLS ? Else, I like the implicit lack > of trust. > I'd like to avoid restricting the scope to protected/unprotected channels here, since we have profiles that use object security on the individual messages (oscore). > -- Section 5.1.2 -- > I must admit that I have failed to understand the semantic of "audience"... > Can you either explain its meaning or provide a reference ? > Added a reference > -- Section 5.5 -- > In "Since it requires the use of a user agent (i.e., browser)" is it "i.e." or "e.g." > ? This comment seems to refer to an older version of the draft. > > -- Section 5.6 -- > s/the semantics described below MUST be/the semantics described in this > section MUST be/ ? Fixed > > In "The default name of this endpoint in an url-path is '/token'" should > "SHOULD" normative language be used ? > This is inherited from OAuth 2.0, where I was given to understand that this is not even a SHOULD requirement. > -- Section 5.6.4.1 -- > In figure 11, would you mind adding the section ID in addition to RFC 6749 ? I > failed to spot them in RFC 6749. > Done (they are really well hidden in 6749) > -- Section 5.7.2 -- > It is a little unclear to me which profile must be used as 'profile' is optionnial? > Should a default or any profile be used ? Added some guidance > > -- Section 5.8.1 -- > Suggest to use the BCP14 "SHOULD" in the text "The default name of this > endpoint in an url-path is '/authz-info'" I would like to maintain the alignment here with OAuth 2.0 were default endpoint names are not even a SHOULD. > > -- Section 10.2 -- > Is RFC 7049 really an informative reference as CBOR appears as the default > encoding ? This was updated to RFC 8949, which now is a normative reference. > > == NITS == > > s/application layer protocol/application-layer protocol/ ? FIXED > > Should multi-words message names (e.g., AS Request Creation Hints) be > enclosed by quotes ? > > -- Section 2 -- > Please introduce "authz-info" before first use. > There is a reference to the section where authz-info is defined in -38. Are you suggesting some other approach? > -- Section 3.1 -- > "PoP" is expanded twice in this section ;-) Fixed > > "CBOR encoding (CWT) " the "CWT" acronym does not match the expansion > :-) Rephrased this. > > -- Section 4 -- > > Sometimes "Client" is used and sometimes "client" is used... > Fixed > s/reference to a specific credential/reference to a specific access credential/ > ? This actually refers to the proof-of-possession credential. I'll add some clarification. > > -- Section 5.1.2 -- > Can you introduce to "kid" acronym ? It too me a while to understand that it > is > (probably) key-id... :-) In -38 this section now says: "A "kid" element containing the key identifier ...". Does that address your issue? > > Unsure whether "nonce: h'e0a156bb3f'," is the usual IETF way to introduce > an hexadecimal number. It is CBOR diagnostic notation as indicated in the reference to the figure. > > typo in "5.8.4. Key Expriation" :-) Fixed. _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
