> Title : Proof Key for Code Exchange by OAuth Public Clients
> Filename : draft-ietf-oauth-spop-09.txt
> https://tools.ietf.org/html/draft-ietf-oauth-spop-09
Some nits on this draft:
1. 42 chars.
The lower limit of 42 chars for code_verifier: is not mentioned in prose (just
the upper limit); is too high (128-bits=22-chars is sufficient); and doesn't
correspond to 256-bits (BASE64URL-ENCODE(32 bytes) gives 43 chars, not 42).
2.
Quotes around "code_verifier" and "code_challenge" in prose are okay, though
not really necessary as the underscore is enough to distinguish them as
technical labels. Quotes around these terms in formula is bad as it looks like
the formula applies to the 13 or 14 chars of the label. The quoting is also
used inconsistently.
Suggestion: remove all quotes around "code_verifier" and "code_challenge" in
prose and formula.
For example, change ASCII("code_verifier") to ASCII(code_verifier).
3.
Two ways to check code_verifier are given in appendix B, whereas only one of
these is mentioned in section 4.6.
SHA256(verifier) === B64-DECODE(challenge)
B64-ENCODE(SHA256(verifier)) === challenge
I suggest only mentioning the 2nd (change 4.6 to use the 2nd, and drop the 1st
from appendix B). It is simpler to mention only one. It also means
base64url-decoding is never done, and doesn't need to be mentioned in the spec.
4.
Expand "MTI" to "mandatory to implement".
P.S. Suggesting code challenge method names not exceed 8 chars to be compact is
a bit perverse given the field holding these values has the long name
"code_challenge_method" ;)
--
James Manger
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
