Telechat Review of draft-ietf-kitten-sasl-openid-
review-ietf-kitten-sasl-openid-genart-telechat-carpenter-2012-01-25-00

Please see attached review.



I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
< 

http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please wait for direction from your document shepherd
or AD before posting a new version of the draft. 

Document: draft-ietf-kitten-sasl-openid-07.txt
Reviewer: Brian Carpenter
Review Date: 2011-11-24
IETF LC End Date: 2011-10-25
IESG Telechat date: 2011-12-01

Summary:  Almost ready
--------

Comments:
---------

Thanks for acting on (most of) my Last Call comments.

I understand that the IESG is willing to accept the OpenID and OASIS external
references under the RFC 2026 rules and I have no quarrel with that.

Minor issues:
-------------

> 2.2.  Discussion
> 
>    As mentioned above OpenID is primarily designed to interact with web-
>    based applications.  Portions of the authentication stream are only
>    defined in the crudest sense.  That is, when one is prompted to
>    approve or disapprove an authentication, anything that one might find
>    on a browser is allowed, including JavaScript, fancy style-sheets,
>    etc.  Because of this lack of structure, implementations will need to
>    invoke a fairly rich browser in order to ensure that the
>    authentication can be completed.

This language remains rather loose. At least, I believe, "fancy" and 
"fairly rich" need to be replaced by more specific terms such as
"complex" and "sufficiently powerful" respectively. I think there may
be interoperability issues hidden here in any case, but that is
probably inevitable.

> 4.  OpenID GSS-API Mechanism Specification
...
>   The GSS-API mechanism OID for OpenID is OID-TBD (IANA to assign: see
>   IANA considerations).

That parenthesis will need to be removed during editing. I suggest inserting a 
literal instance of "OID-TBD" in the IANA Considerations text too.