Telechat Review of draft-ietf-kitten-sasl-openid-
review-ietf-kitten-sasl-openid-genart-telechat-carpenter-2012-01-25-00
Request | Review of | draft-ietf-kitten-sasl-openid |
---|---|---|
Requested revision | No specific revision (document currently at 08) | |
Type | Telechat Review | |
Team | General Area Review Team (Gen-ART) (genart) | |
Deadline | 2011-11-15 | |
Requested | 2012-01-06 | |
Authors | Eliot Lear , Hannes Tschofenig , Henry Mauldin , Simon Josefsson | |
I-D last updated | 2012-01-25 | |
Completed reviews |
Genart Telechat review of -??
by Brian E. Carpenter
Genart Telechat review of -?? by Brian E. Carpenter Secdir Last Call review of -?? by Stephen Kent |
|
Assignment | Reviewer | Brian E. Carpenter |
State | Completed | |
Request | Telechat review on draft-ietf-kitten-sasl-openid by General Area Review Team (Gen-ART) Assigned | |
Completed | 2012-01-25 |
review-ietf-kitten-sasl-openid-genart-telechat-carpenter-2012-01-25-00
Please see attached review. I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: draft-ietf-kitten-sasl-openid-07.txt Reviewer: Brian Carpenter Review Date: 2011-11-24 IETF LC End Date: 2011-10-25 IESG Telechat date: 2011-12-01 Summary: Almost ready -------- Comments: --------- Thanks for acting on (most of) my Last Call comments. I understand that the IESG is willing to accept the OpenID and OASIS external references under the RFC 2026 rules and I have no quarrel with that. Minor issues: ------------- > 2.2. Discussion > > As mentioned above OpenID is primarily designed to interact with web- > based applications. Portions of the authentication stream are only > defined in the crudest sense. That is, when one is prompted to > approve or disapprove an authentication, anything that one might find > on a browser is allowed, including JavaScript, fancy style-sheets, > etc. Because of this lack of structure, implementations will need to > invoke a fairly rich browser in order to ensure that the > authentication can be completed. This language remains rather loose. At least, I believe, "fancy" and "fairly rich" need to be replaced by more specific terms such as "complex" and "sufficiently powerful" respectively. I think there may be interoperability issues hidden here in any case, but that is probably inevitable. > 4. OpenID GSS-API Mechanism Specification ... > The GSS-API mechanism OID for OpenID is OID-TBD (IANA to assign: see > IANA considerations). That parenthesis will need to be removed during editing. I suggest inserting a literal instance of "OID-TBD" in the IANA Considerations text too.