Thanks for the review. We've just published draft 22 addressing this feedback.
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-22.html Comments are inline: > General: There are more than a couple of Normative references that are pointing to 'living documents'. From my reading of the draft these include: Cookie Prefixes, Fetch, Web-messaging, service-workers, webstorage. If at all possible, we need to find a way to specify a particular version via commit, snapshot, archive to make an immutable version. Or find a way to make them Informative. Basically this draft will be an RFC - immutable, yet a few of the Normative references are changeable. I was able to find links to snapshots of all the living documents referenced. All references now link to the stable URL versions. > BCP 14 boilerplate: idnits (a little blue button '! Nits' on the line above the text of the draft on the main datatracker page). is throwing errors on the BCP14 boilerplate. Ideally, I'd like these fixed before moving this along (it just eliminates problems down the road). It looks like these nits fall into a few categories: * Date issue (will be fixed on publication of a new version) * Wrong RFC 2219 boilerplate (fixed) * Non-RFC references (may still be nits, but now reference stable versions) > Section 6.1.3.2, para 4: '...the BFF SHOULD encrypt its cookie contents.' Why not a MUST? Under what circumstances would it be reasonable to ignore this SHOULD? We added a sentence following this to clarify that the difference of encrypting the cookie contents doesn't affect the security properties of the BFF pattern. > Section 6.1.3.2, last para: Add this to the (Informative) references. Done > Section 6.3.4.2.2, first para: Add 'CrytoKeyPair' to the (Informative) references. Done > Section 7.4, first para, last sentence: Nit: 'This restrictions' should either be 'these restrictions' or 'this restriction'. Done > Section 11: RFC6819 is a normative reference, but it is Informational. We need to call that out in the IETF Last Call, and I have to approve the downref (which I will do). Moved this to an informative reference On Thu, Jan 16, 2025 at 6:27 AM Deb Cooley <debcool...@gmail.com> wrote: > Here are the comments on my AD review of this draft. Most of them will be > easy to fix, except for the normative references to changeable standards: > > General: There are more than a couple of Normative references that are > pointing to 'living documents'. From my reading of the draft these > include: Cookie Prefixes, Fetch, Web-messaging, service-workers, > webstorage. If at all possible, we need to find a way to specify a > particular version via commit, snapshot, archive to make an immutable > version. Or find a way to make them Informative. Basically this draft > will be an RFC - immutable, yet a few of the Normative references are > changeable. > > BCP 14 boilerplate: idnits (a little blue button '! Nits' on the line > above the text of the draft on the main datatracker page). is throwing > errors on the BCP14 boilerplate. Ideally, I'd like these fixed before > moving this along (it just eliminates problems down the road). > > Section 6.1.3.2, para 4: '...the BFF SHOULD encrypt its cookie contents.' > Why not a MUST? Under what circumstances would it be reasonable to ignore > this SHOULD? > > Section 6.1.3.2, last para: Add this to the (Informative) references. > > Section 6.3.4.2.2, first para: Add 'CrytoKeyPair' to the (Informative) > references. > > Section 7.4, first para, last sentence: Nit: 'This restrictions' should > either be 'these restrictions' or 'this restriction'. > > Section 11: RFC6819 is a normative reference, but it is Informational. > We need to call that out in the IETF Last Call, and I have to approve the > downref (which I will do). > > Deb > Sec AD for oauth >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
