Telechat Review of draft-ietf-kitten-sasl-openid-

Request Review of draft-ietf-kitten-sasl-openid
Requested rev. no specific revision (document currently at 08)
Type Telechat Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2011-11-15
Requested 2012-01-06
Authors Eliot Lear, Hannes Tschofenig, Henry Mauldin, Simon Josefsson
Draft last updated 2012-01-25
Completed reviews Genart Telechat review of -?? by Brian Carpenter
Genart Telechat review of -?? by Brian Carpenter
Secdir Last Call review of -?? by Stephen Kent
Assignment Reviewer Brian Carpenter 
State Completed
Review review-ietf-kitten-sasl-openid-genart-telechat-carpenter-2012-01-25
Review completed: 2012-01-25


Please see attached review.

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at

Please wait for direction from your document shepherd
or AD before posting a new version of the draft. 

Document: draft-ietf-kitten-sasl-openid-07.txt
Reviewer: Brian Carpenter
Review Date: 2011-11-24
IETF LC End Date: 2011-10-25
IESG Telechat date: 2011-12-01

Summary:  Almost ready


Thanks for acting on (most of) my Last Call comments.

I understand that the IESG is willing to accept the OpenID and OASIS external
references under the RFC 2026 rules and I have no quarrel with that.

Minor issues:

> 2.2.  Discussion
>    As mentioned above OpenID is primarily designed to interact with web-
>    based applications.  Portions of the authentication stream are only
>    defined in the crudest sense.  That is, when one is prompted to
>    approve or disapprove an authentication, anything that one might find
>    on a browser is allowed, including JavaScript, fancy style-sheets,
>    etc.  Because of this lack of structure, implementations will need to
>    invoke a fairly rich browser in order to ensure that the
>    authentication can be completed.

This language remains rather loose. At least, I believe, "fancy" and 
"fairly rich" need to be replaced by more specific terms such as
"complex" and "sufficiently powerful" respectively. I think there may
be interoperability issues hidden here in any case, but that is
probably inevitable.

> 4.  OpenID GSS-API Mechanism Specification
>   The GSS-API mechanism OID for OpenID is OID-TBD (IANA to assign: see
>   IANA considerations).

That parenthesis will need to be removed during editing. I suggest inserting a 
literal instance of "OID-TBD" in the IANA Considerations text too.