At the oauth session at IETF 80, I volunteered to review the use
cases document (draft-zeltsan-oauth-use-cases).
Overall I liked the document a lot and thought the structure (pre-
conditions, post-conditions, requirements) was excellent. I do
wonder if the post-conditions aren't somewhat overly focused on
process rather than state in many cases ("Alice's browser downloads
a script [ ... ]"), but that may be a terminological question around
"post-conditions" rather than much to do with actual content.
I also think that it may help to identify which requirements are
in-scope for the working group and which are not. For example,
in 3.11 "The server at www.social.example.com must be able to
redirect Alice's browser to www.sipservice.example.com" is clearly
out-of-scope for oauth, but "The application running at
www.sipservice.example.com must be capable of authenticating Alice
and obtaining her authorization of a request from www.social.example.com"
is not, or at least both the authn and authz steps may not be, and
that would benefit from clarification. And come
to think of it, that's a pretty good example of a case where the
distinction between "pre-condition" and requirement isn't all that
clear.
Individual sections:
3.1 I thought the discussion of token lifetime was a bit muddled.
I think it's probably sufficient to say that expired tokens may be
reissued and that it is possible, when appropriate, to issue relatively
long-lived tokens.
3.2 I didn't understand the second bullet item under "pre-conditions."
I tried substituting both "not" and "now" for "no" and neither of them
worked all that well.
3.11 I think "The application at www.social.example.com must be able to
translate the messages of the Alice's VoIP applet into SIP and RTP
messages" is almost certainly irrelevant.
3.12 I'm insufficiently familiar with XRD to know if it protects private
patient data sufficiently to satisfy HIPPA and other legal requirements.
The discovery component of this seems dicey and can probably be
addressed in a less touchy scenario.
If this document is to provide guidance during the development of
protocol documents, I'm not sure it's worth the effort to sort out pre-
conditions and requirements, although I do think I'd try to put some
effort into identifying what's going to be done by the working group and
what's not.
Overall I think it's an extremely useful document.
Melinda
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
