Thanks for the review Jari, Regarding minimizing details, I'm thinking that incorporating some text along the lines of what's in the Privacy Considerations of RFC 7523 <https://tools.ietf.org/html/rfc7523#section-7> might be a worthwhile addition.
On Fri, Aug 3, 2018 at 7:49 AM Jari Arkko <jari.ar...@piuha.net> wrote: > Reviewer: Jari Arkko > Review result: Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-oauth-token-exchange-14 > Reviewer: Jari Arkko > Review Date: 2018-08-03 > IETF LC End Date: 2018-08-06 > IESG Telechat date: Not scheduled for a telechat > > Summary: > > This specification describes a standardised protocol for requesting and > receiving security tokens from an OAuth 2.0 authorisation service. > > I had no experience on OAuth previously, but the document was > understandable > and as far as I could determine, had no major issues. > > It was a bit more difficult to determine completeness. Security and > privacy > considerations sections were quite short, for instance, and maybe that's > justifiable given the ability to refer to prior RFCs on this subject. > However, > I suspect one could say more, e.g., Section 7 says "Tokens typically carry > personal information and their usage in Token Exchange may reveal details > of > the target services being accessed", but it does not offer any advice on > how > such details might be minimised. But perhaps that's already in another RFC > as > well. > > Major issues: > > Minor issues: > > Nits/editorial comments: > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
