Hello authors,
Please find my review comments to PoP Architecture document: https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-02 1. Introduction: At the time of writing the OAuth 2.0 protocol family ([RFC6749], [RFC6750], and [RFC6819]) offer a single standardized security mechanism to access protected resources, namely the bearer token. [Kepeng] This sentences seem to be incomplete. What offers a security mechanism? Also why do we mention “at the time of writing”? Is the situation changed now? 2. Section 3: The main use case that motivates better-than-bearer token security is the desire of resource servers to obtain additional assurance that the client is indeed authorized to present an access token. [Kepeng] About “better-than-bear”, is it a word? Maybe reword the sentence a little bit. 3.Section 3.1 1) In a legitimate use case consider chaining of computations whereby a resource server needs to consult other third party resource servers to complete the requested operation. [Kepeng] This sentence seems to be incomplete. Maybe reword it a little bit? 2) In this use case additional information is conveyed to the resource server to ensure that no entity entity has tampered with the TLS connection. [Kepeng] Change “is conveyed” to “should be conveyed”? 4. Section 3.3: First, an eavesdropper may steal an access token and represent it at a different resource server. [Kepeng] Change “represent it at” to “present it to”? 5. Section 3.4: These load balancers may terminate the TLS connection setup and HTTP traffic is transmitted in the clear from the load balancer to the resource server. [Kepeng] Don’t understand “in the clear”. Should it be “in the wire”? Kind Regards Kepeng
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
