Ben Campbell has entered the following ballot position for draft-ietf-oauth-introspection-09: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I concur with Alissa's discuss. Additional comments: -- There is no reference to RFC 2119, but there seems to be lots of capitalized 2119 keywords. If those are intended to have the 2119 meaning, please add the usual reference. (I assume that these are intended as 2119 keywords for the remainder of the review.) -- 2.1, first paragraph: If the server MAY support GET, how does a client know to use it? Would you expect them to try and fail? -- 3 Is there a reason not to use a more standard IANA procedure? (I.e. let people request registrations to IANA, and have them forward the requests to the DE?) --3.1, under "Name" The MUST seems unnecessary, as that's the whole point of a registry. -- 4: The security considerations have a lot of restated 2119 keywords. If you want to reinforce those here, it would be better to do so with descriptive language, rather than having multiple occurrences of the same normative language. Redundant normative language is error prone, especially for future updates. -- 4, bullet list: It seems odd to have 2119 keywords in a "For instance" section. --4, 6th paragraph from end The reference to [TLS.BCP] should probably be normative. -- 4, last two paragraphs: "An authorization server offering token introspection MUST be able to understand the token values being presented to it during this call." and "the authorization server MUST be able to decrypt and validate the token in order to access this information." These seem more like statements of fact than normative language. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
