Jari, thanks for your review. Brian, thanks for your response. I flagged the issue Jari raises below in my DISCUSS ballot — it’s not clear to me why there aren’t normative requirements around confidentiality as there are in the JWT spec and the OAuth 2.0 spec.
Thanks, Alissa > On Aug 10, 2018, at 3:49 PM, Brian Campbell > <bcampbell=40pingidentity....@dmarc.ietf.org> wrote: > > Thanks for the review Jari, > > Regarding minimizing details, I'm thinking that incorporating some text along > the lines of what's in the Privacy Considerations of RFC 7523 > <https://tools.ietf.org/html/rfc7523#section-7> might be a worthwhile > addition. > > > On Fri, Aug 3, 2018 at 7:49 AM Jari Arkko <jari.ar...@piuha.net > <mailto:jari.ar...@piuha.net>> wrote: > Reviewer: Jari Arkko > Review result: Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>>. > > Document: draft-ietf-oauth-token-exchange-14 > Reviewer: Jari Arkko > Review Date: 2018-08-03 > IETF LC End Date: 2018-08-06 > IESG Telechat date: Not scheduled for a telechat > > Summary: > > This specification describes a standardised protocol for requesting and > receiving security tokens from an OAuth 2.0 authorisation service. > > I had no experience on OAuth previously, but the document was understandable > and as far as I could determine, had no major issues. > > It was a bit more difficult to determine completeness. Security and privacy > considerations sections were quite short, for instance, and maybe that's > justifiable given the ability to refer to prior RFCs on this subject. However, > I suspect one could say more, e.g., Section 7 says "Tokens typically carry > personal information and their usage in Token Exchange may reveal details of > the target services being accessed", but it does not offer any advice on how > such details might be minimised. But perhaps that's already in another RFC as > well. > > Major issues: > > Minor issues: > > Nits/editorial comments: > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited.. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you._______________________________________________ > Gen-art mailing list > gen-...@ietf.org > https://www.ietf.org/mailman/listinfo/gen-art
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth