Thanks for the review, Rifaat. Replies are inline below...
On Mon, Jun 26, 2017 at 6:40 AM, Rifaat Shekh-Yusef <rifaat.i...@gmail.com> wrote: > Hi (as individual), > > I have reviewed this version of the document and I have the following > comments/questions: > > > Section 2.1, page 8, last paragraph: > > "In the absence of one-time-use or other semantics specific to the > token type, the act of performing a token exchange has no impact on > the validity of the subject token or actor token." > > Would the validity of the new issued token be impacted later on by the > validity of the subject or actor tokens? > No, the intent is that the tokens presented for exchange need to be valid at the time of exchange but after that the validity of the issued token is decoupled from, and has no dependency on, the subject or actor tokens. Do you feel that the doc should state this more explicitly? If so, a sentence like this could be added following the text you quoted, "Furthermore, the validity of the subject token or actor token have no impact on the validity of the issued token after the exchange has occurred." > Section 2.2.2, page 10, second paragraph: > > "If the authorization server is unwilling or unable to issue a token > for all the target services indicated by the "resource" or "audience" > parameters, the "invalid_target" error code MAY be used in the error > response." > > Can you please elaborate on why the above text is using "MAY" for the use > of "invalid_target" in this case? > > To be honest, I don't recall exactly why I went with "MAY" there. And on seeing your question and reading it again, that feels like it should be stronger than "MAY". Should that "MAY" be changed to a "SHOULD"? Or even a "MUST"? > Section 4.1, page 14, second paragraph: > > "However, claims within the "act" claim pertain only to the identity > of the actor and are not relevant to the validity of the containing > JWT in the same manner as the top-level claims. Consequently, claims > such as "exp", "nbf", and "aud" are not meaningful when used within > an "act" claim, and therefore should not be used." > > If the "exp", "nbf", and "aud" claims are not meaningful inside the "act" > claim, why is the sentence stating that it "should not be used"? > Would it not be more appropriate to state that it "must not be used" > instead? > > My thinking here is that saying, 'such as "exp", "nbf", and "aud" claims' is more of a general statement of guidance rather than a fully inclusive of list of claims that aren't meaningful inside the 'act' claim. And a full list isn't really feasible given that new claims can be defined in the future. So the use of "should" seemed more appropriate in that context rather than "must" or any RFC 2119 words. We can discuss changing that somehow, if you and/or other WG members think a change is needed? But that was my line of reasoning behind the current text. > > > Regards, > Rifaat > > > > > > On Fri, Jun 2, 2017 at 3:05 PM, Rifaat Shekh-Yusef <rifaat.i...@gmail.com> > wrote: > >> All, >> >> We are starting a WGLC on the Token Exchange document: >> https://www.ietf.org/id/draft-ietf-oauth-token-exchange-08 >> >> Please, review the document and provide feedback on any issues you see >> with the document. >> >> The WGLC will end in two weeks, on June 17, 2017. >> >> Regards, >> Rifaat and Hannes >> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
