[Last-Call] Re: Genart last call review of draft-ietf-oauth-browser-based-apps-22

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks for your edits Thomas! I've merged the PR.

As for your BCP question, I am not totally certain about the implications of including it in BCP212, or whether it should be part of the new BCP240, or an entirely new BCP. I tried finding details about this in the various process RFCs/BCPs but I can't find an explanation.

I've noted your comment about the "scenario" language as issue #68 to follow up on later.

Thanks!

Aaron

On Sun, Jan 26, 2025 at 7:14 AM Thomas Fossati via Datatracker <noreply@xxxxxxxx> wrote:
Reviewer: Thomas Fossati
Review result: Ready with Nits

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://wiki.ietf.org/en/group/gen/GenArtFAQ>.

Document: draft-ietf-oauth-browser-based-apps-22
Reviewer: Thomas Fossati
Review Date: 2025-01-26
IETF LC End Date: 2025-02-04
IESG Telechat date: Not scheduled for a telechat

Summary:

This is a BCP for browser-based apps that use OAuth 2.0.
It's a companion to BCP212, which contains similar recommendations for
OAuth 2.0 native apps.

This document is very clearly written, exhaustive, and well-organised.
>From a Gen-ART perspective, it's ready to ship.
Many thanks to the editors and the oauth WG.

One question for the editors and WG regarding the BCP status: is
this doc going into BCP212 or does it get its own BCP number?

Major issues: none

Minor issues: none

Nits/editorial comments:

One editorial nit regarding the use of the term "scenario" in sentences
like:

    "scenarios that attackers can use"
    "[...] scenarios that an attacker can execute"

To my (non-native) ears, to "use/execute a scenario" sounds a bit
weird :-) Maybe "attack _strategies_ that an attacker can _exploit_"?

Apart from that, I have packed a bunch of small fixes into a PR [1].

[1] https://github.com/oauth-wg/oauth-browser-based-apps/pull/65




-- 
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux