[OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-resource-metadata-11: (with COMMENT)
Éric Vyncke has entered the following ballot position for draft-ietf-oauth-resource-metadata-11: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ -- COMMENT: -- Thanks for the document and thanks to Rifaat Shekh-Yusef for the shepherd write-up including the WG consensus and the justification of the intended status. As a Belgian French-speaking person, I smiled when reading `using fr might be sufficient in many contexts, rather than fr-CA or fr-FR` :-) More seriously, should the examples in section 3.1 use a more recent HTTP version ? Superb use of SVG in section 5, suggest to introduce the "AS" acronym used in step 6 in the text below the figure (this comment could possibly apply to other acronyms). Finally, I agree with John and Murray about their comments about the IANA section. ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-security-topics-27: (with COMMENT)
Éric Vyncke has entered the following ballot position for draft-ietf-oauth-security-topics-27: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ -- COMMENT: -- Thank you for the work put into this document. Special thanks to Hannes Tschofenig for the shepherd's detailed write-up including the WG consensus *BUT* the justification of the intended status is rather light. My only comment is more on the flow: for the non-expert reader, reading sections 3+4 (threat) before will make it easier to undestanding the reasoning behind section 2. I am trusting the SEC and APP ADs for the technical correctness of the document. ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-dpop-14: (with COMMENT)
Éric Vyncke has entered the following ballot position for draft-ietf-oauth-dpop-14: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ -- COMMENT: -- Thank you for the work put into this document. Please find below some non-blocking COMMENT points, and some nits. Special thanks to Rifaat Shekh-Yusef for the shepherd's detailed write-up including the WG consensus (and the author count) even if the justification of the intended status is rather light. I hope that this review helps to improve the document, Regards, -éric # COMMENTS (non blocking) ## Section 1 Should there be a reference to OAuth ? s/The mechanism described herein /The mechanism specified herein / ? as it is proposed standard Adding a short description of SPA would be useful, or simply remove this reference ? # NITS (non blocking / cosmetic) ## Section 2 ` Properly audience restricting access tokens can prevent such misuse` is difficult to parse ## Section 4.1 s/repeated below for ease of reference/repeated below in figure 3 for ease of reference/ ? ## Section 4.2 s/MUST NOT be none or an identifier for a symmetric algorithm (MAC)/MUST NOT be 'none' or an identifier for a symmetric algorithm/ ## Section 6.1 `JSON Web Tokens (JWT)` the JWT acronym has already been defined. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-rar-20: (with COMMENT)
Éric Vyncke has entered the following ballot position for draft-ietf-oauth-rar-20: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ -- COMMENT: -- # Éric Vyncke, INT AD, comments for draft-ietf-oauth-rar-19 CC @evyncke Thank you for the work put into this document. It is very easy to read and quite powerful. Please find below one non-blocking COMMENT point (rather a suggestion). Special thanks to Hannes Tschofenig for the shepherd's detailed write-up including the WG consensus ***but*** missing the justification of the intended status. I hope that this review helps to improve the document, Regards, -éric ## COMMENTS ### Section 1 I like the use of EUR rather than USD ;-) Suggest to also add "bic" in addition to "iban" to be consistent with https://en.wikipedia.org/wiki/Single_Euro_Payments_Area ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-par-08: (with COMMENT)
Éric Vyncke has entered the following ballot position for draft-ietf-oauth-par-08: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-par/ -- COMMENT: -- Thank you for the work put into this document. I can only regret that the document shepherd write-up does not include anything about the WG consensus. Please find below one non-blocking COMMENT points (no need to reply), and some nits. I hope that this helps to improve the document, Regards, -éric == COMMENTS == -- Section 1 -- "traditional web applications but is prohibitively difficult to use with mobile apps", I find the adverb "prohibitively" possibly slightly exagerated ;-) == NITS == Is this "user-agent" or "user agent" ? As it is not about the HTTP header. The PAR acronym for "pushed authorization requests" is defined but nearly never used in the text. -- Section 1 -- The first § is a single very long sentence. Consider splitting this long sentence in shorter ones ? Same applies in other places in the document (e.g., 1st sentence in section 2.4) ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-jwsreq-32: (with COMMENT)
Éric Vyncke has entered the following ballot position for draft-ietf-oauth-jwsreq-32: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ -- COMMENT: -- Thank you for the work put into this document. Not too many differences since my review on the -26 (hence I reviewed mainly the diff). Please find below some non-blocking COMMENT points (but replies would be appreciated). I hope that this helps to improve the document, Regards, -éric == COMMENTS == -- Section 1 -- Is it normal that the abstract has a) and b) while the introduction has a), b), and c) ? -- Section 5.2 -- I see that "Many phones in the market as of this writing" is still in the text... Does this assertion still hold in 2021 ? Is it backed by some references ? ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
Éric Vyncke has entered the following ballot position for draft-ietf-oauth-jwsreq-26: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ -- COMMENT: -- Thank you for the work put into this document. Please find below a couple of non-blocking COMMENTs. I hope that this helps to improve the document, Regards, -éric == COMMENTS == Should the document shepherd's write-up be updated ? It is dated October 2016... about 4 years ago. -- Section 5.2 -- Based on the long history of this document, is the following statement "Many phones in the market as of this writing still" still valid ? -- Section 5.2.1 -- Suggest to give a hint about the use of tfp.example.org (TFP is expanded only in section 10.2). == NITS == Please check the ID-NITS at https://tools.ietf.org/idnits?url=https://tools.ietf.org/id/draft-ietf-oauth-jwsreq-26.txt ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Éric Vyncke's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)
Éric Vyncke has entered the following ballot position for draft-ietf-oauth-resource-indicators-05: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-indicators/ -- COMMENT: -- Thank you for the hard work put into this easy to read document. Regards, -éric == COMMENTS == -- Section 1 -- "has uncovered a need, in some circumstances" (and similar sentences in section 1), it is rather vague for a standard track document... Please add some facts and data, this could be a companion document about requirements/use cases. -- Section 2 -- It is rather a question of mine, why does the resource need to be a URI (which usually bears some visible semantics) rather than an opaque string known only by the resource owner/server ? This is similar to Mirja's comment about privacy. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
