Thanks Brian. See my replies inline...
On Fri, Jun 30, 2017 at 4:08 PM, Brian Campbell <bcampb...@pingidentity.com> wrote: > Thanks for the review, Rifaat. Replies are inline below... > > > On Mon, Jun 26, 2017 at 6:40 AM, Rifaat Shekh-Yusef <rifaat.i...@gmail.com > > wrote: > >> Hi (as individual), >> >> I have reviewed this version of the document and I have the following >> comments/questions: >> >> >> Section 2.1, page 8, last paragraph: >> >> "In the absence of one-time-use or other semantics specific to the >> token type, the act of performing a token exchange has no impact on >> the validity of the subject token or actor token." >> >> Would the validity of the new issued token be impacted later on by the >> validity of the subject or actor tokens? >> > > No, the intent is that the tokens presented for exchange need to be valid > at the time of exchange but after that the validity of the issued token is > decoupled from, and has no dependency on, the subject or actor tokens. > > Do you feel that the doc should state this more explicitly? If so, a > sentence like this could be added following the text you quoted, > "Furthermore, the validity of the subject token or actor token have no > impact on the validity of the issued token after the exchange has > occurred." > > Yeah, your proposed text looks good to me. It is better to explicitly state that rather than leave it open to different interpretations. > > >> Section 2.2.2, page 10, second paragraph: >> >> "If the authorization server is unwilling or unable to issue a token >> for all the target services indicated by the "resource" or "audience" >> parameters, the "invalid_target" error code MAY be used in the error >> response." >> >> Can you please elaborate on why the above text is using "MAY" for the use >> of "invalid_target" in this case? >> >> > To be honest, I don't recall exactly why I went with "MAY" there. And on > seeing your question and reading it again, that feels like it should be > stronger than "MAY". > > Should that "MAY" be changed to a "SHOULD"? Or even a "MUST"? > > It seems to me that at least "SHOULD" is warranted here. Anybody has a strong opinion on this? > > > >> Section 4.1, page 14, second paragraph: >> >> "However, claims within the "act" claim pertain only to the identity >> of the actor and are not relevant to the validity of the containing >> JWT in the same manner as the top-level claims. Consequently, claims >> such as "exp", "nbf", and "aud" are not meaningful when used within >> an "act" claim, and therefore should not be used." >> >> If the "exp", "nbf", and "aud" claims are not meaningful inside the "act" >> claim, why is the sentence stating that it "should not be used"? >> Would it not be more appropriate to state that it "must not be used" >> instead? >> >> > My thinking here is that saying, 'such as "exp", "nbf", and "aud" claims' > is more of a general statement of guidance rather than a fully inclusive of > list of claims that aren't meaningful inside the 'act' claim. And a full > list isn't really feasible given that new claims can be defined in the > future. So the use of "should" seemed more appropriate in that context > rather than "must" or any RFC 2119 words. We can discuss changing that > somehow, if you and/or other WG members think a change is needed? But that > was my line of reasoning behind the current text. > > How about something along the line of the following to replace the last sentence above: "Consequently, non-identity claims (e.g. "exp", "nbf", and "aud") are not meaningful when used within an "act" claim, and therefore must not be used". Regards, Rifaat > > > >> >> >> > Regards, >> Rifaat >> >> >> >> >> >> On Fri, Jun 2, 2017 at 3:05 PM, Rifaat Shekh-Yusef <rifaat.i...@gmail.com >> > wrote: >> >>> All, >>> >>> We are starting a WGLC on the Token Exchange document: >>> https://www.ietf.org/id/draft-ietf-oauth-token-exchange-08 >>> >>> Please, review the document and provide feedback on any issues you see >>> with the document. >>> >>> The WGLC will end in two weeks, on June 17, 2017. >>> >>> Regards, >>> Rifaat and Hannes >>> >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
