Mohamed Boucadair has entered the following ballot position for draft-ietf-oauth-status-list-14: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Hi Tobias, Paul, and Christian, Thank you for the effort put into this document. # Overall, the document is well-organized and various pieces are adequately grafted together. Some cross referencing would be even better to link some of goals to how these are actually addressed in the current design, especially for the following ones: CURRENT: * the specification shall favor a simple and easy-to-understand concept * the specification shall be easy, fast and secure to implement in all major programming languages * the specification shall be optimized to support the most common use cases and avoid unnecessary complexity of corner cases * the Status List shall scale up to millions of tokens to support large-scale government or enterprise use cases * the Status List shall enable caching policies and offline support # The implementation section (which is actually an Operational Consideration section per RFC5706) is really great. Thanks. # The use of SHOULD through the document is worth checking. There are clearly cases where it is not trivial if this is a nice-to-have or why a stronger level isn't used, e.g., loop detection or the following: * ttl: RECOMMENDED. The ttl (time to live) claim, if present, MUST specify the maximum amount of time, in seconds, that the Status List Token can be cached by a consumer before a fresh copy SHOULD be retrieved. There many such occurrences that I’m not listing here, but I’d request you double check through. # I tagged some few nits when reviewing the document that I will send you in a PR. Cheers, Med _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
