Paul Wouters has entered the following ballot position for draft-ietf-oauth-rar-19: Yes
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks to Carl Wallace for his SECDIR review, please see his comments: https://datatracker.ietf.org/doc/review-ietf-oauth-rar-15-secdir-lc-wallace-2022-11-16/ Thanks to Robert Sparks for his GENART review, please see his comments: https://datatracker.ietf.org/doc/review-ietf-oauth-rar-15-genart-lc-sparks-2022-11-17/ I find the geolocation example confusing. Is it giving access to photos taken in the geolocation or is it giving access to anyone residing in that geolocation? Section 6.1: The AS would compare the type value and the action value to determine that the read access is already covered by the write access previously granted to the client. I see some ambiguity here if there is a list of 3 requests. If we start out with asking for "write" and received it, and it implies "read", and then a new request comes in to ask for "read", that is clear. The "write" access is dropped. But what if we ask for "write" now? A previous request did give us that, but we dropped the capability and are no re-asking it again. Should this be allowed or not? Can the document give more guidance on this? Section 10 Why "authorization_details_types" and not "authorization_details_types_requests" to ensure there is no confusion with authorization_details_types_supported ? (I guess a bit too late to change name now, as it seems this is already deployed) _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
