Shepherd writeup
draft-ietf-oauth-token-exchange-19

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, 
Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this 
type of RFC indicated in the title page header?

The draft-ietf-oauth-token-exchange-10 is a Standards Track document that extends OAuth 
2.0 and defines a new protocol for Security Token Service (STS) to be used by OAuth elements 
(e.g. Clients, Resource Servers, etc) to exchange one token for another.

(2) The IESG approval announcement includes a Document Announcement Write-Up. 
Please provide such a Document Announcement Write-Up. Recent examples can be 
found in the "Action" announcements for approved documents. The approval 
announcement contains the following sections:

Technical Summary:
  This specification defines a protocol for an HTTP- and JSON- based Security Token 
  Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 
  authorization servers, including security tokens employing impersonation and delegation.
  The specification extends the scope of the Authorization Server (AS) to act as an STS to 
  allow the AS to exchange one token for another. The working group thinks that this is a 
  useful Standards Track document.

Working Group Summary:
  The WG document is the result of the merge of two individual documents that tried to 
  address this issue of token exchange: draft-jones-oauth-token-exchange and draft-
  campbell-oauth-sts.
  The scope of the first few revisions of the document was limited, and there was a long 
  discussion of addressing a Token Chaining use case:
  https://mailarchive.ietf.org/arch/msg/oauth/pQRiMz0NjwcAG9Jazm8Aex40UX8/?qid=e6b492516cfa24bebbf8996009413d62
  The WG document was extended to address the Token Chaining use case. 

  The individual and WG documents were reviewed by a large number of participants, with 
  lively and long discussions on the mailing list and during the WG meetings.

  One participant, Denis (denis.ietf@free.fr), raised some privacy & security concerns with 
  the WG document, which was not shared by the rest of the group. Denis was encouraged 
  by the group to write a draft on the subject to allow for a better and clear understanding 
  of his concerns, or discuss the security issues in the context of the OAuth Security Topics 
  document.

Document Quality:
  The document has been implemented by Salesforce, Microsoft, Box, Indigo IAM, Unity 
  IdM, and partial implementation by RedHat.
     https://medium.com/box-developer-blog/introducing-token-exchange-for-box-platform-3dcf7ab891b8
     https://indigo-dc.gitbooks.io/iam/content/doc/user-guide/oauth_token_exchange.html
     http://www.unity-idm.eu/documentation/unity-2.1.0/manual.html#_token_exchange
     http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

Personnel:
  The document shepherd is Rifaat Shekh-Yusef. 
  The responsible Area Director is Eric Rescorla.

(3) Briefly describe the review of this document that was performed by the Document 
Shepherd. If this version of the document is not ready for publication, please explain 
why the document is being forwarded to the IESG.

The document shepherd has reviewed several versions of this document, including the last one, 
feels the document is ready.

(4) Does the document Shepherd have any concerns about the depth or breadth of the 
reviews that have been performed?

The document shepherd has no concerns with the level of reviews, as the document was 
discussed and reviewed by many participants.

(5) Do portions of the document need review from a particular or from broader 
perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or 
internationalization? If so, describe the review that took place.

Security review is always needed and appreciated.

(6) Describe any specific concerns or issues that the Document Shepherd has with this 
document that the Responsible Area Director and/or the IESG should be aware of? For 
example, perhaps he or she is uncomfortable with certain parts of the document, or 
has concerns whether there really is a need for it. In any event, if the WG has 
discussed those issues and has indicated that it still wishes to advance the document, 
detail those concerns here.

The document shepherd has no such concerns.

(7) Has each author confirmed that any and all appropriate IPR disclosures required 
for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. 
If not, explain why?

Yes.
https://www.ietf.org/mail-archive/web/oauth/current/msg17638.html
https://www.ietf.org/mail-archive/web/oauth/current/msg17639.html
https://www.ietf.org/mail-archive/web/oauth/current/msg17640.html
https://www.ietf.org/mail-archive/web/oauth/current/msg17646.html
https://www.ietf.org/mail-archive/web/oauth/current/msg17669.html
 
(8) Has an IPR disclosure been filed that references this document? If so, summarize 
any WG discussion and conclusion regarding the IPR disclosures.

No such IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it represent the strong 
concurrence of a few individuals, with others being silent, or does the WG as a whole 
understand and agree with it?

There is a solid support for this document from the WG, with the exception of the individual 
mentioned above.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If 
so, please summarise the areas of conflict in separate email messages to the 
Responsible Area Director. (It should be in a separate email because this questionnaire 
is publicly available.)

No such threat or discontent, with the exception of the individual mentioned above with his 
privacy and security concerns.

(11) Identify any ID nits the Document Shepherd has found in this document. (See 
http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate 
checks are not enough; this check needs to be thorough.

One nit found:

** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259)


(12) Describe how the document meets any required formal review criteria, such as 
the MIB Doctor, media type, and URI type reviews.

No such reviews are necessary.

(13) Have all references within this document been identified as either normative or 
informative?

Yes.

(14) Are there normative references to documents that are not ready for advancement 
or are otherwise in an unclear state? If such normative references exist, what is the 
plan for their completion?

No such references.

(15) Are there downward normative references (see RFC 3967)? If so, list these 
downward references to support the Area Director in the Last Call procedure.

No such references.

(16) Will publication of this document change the status of any existing RFCs? Are 
those RFCs listed on the title page header, listed in the abstract, and discussed in the 
introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, 
and point to the part of the document where the relationship of this document to the 
other RFCs is discussed. If this information is not in the document, explain why the WG 
considers it unnecessary.

No status change of any existing RFCs.

(17) Describe the Document Shepherd's review of the IANA considerations section, 
especially with regard to its consistency with the body of the document. Confirm that 
all protocol extensions that the document makes are associated with the appropriate 
reservations in IANA registries. Confirm that any referenced IANA registries have been 
clearly identified. Confirm that newly created IANA registries include a detailed 
specification of the initial contents for the registry, that allocations procedures for 
future registrations are defined, and a reasonable name for the new registry has been 
suggested (see RFC 5226).

The IANA section is complete and correct.

(18) List any new IANA registries that require Expert Review for future allocations. 
Provide any public guidance that the IESG would find useful in selecting the IANA 
Experts for these new registries.

No new IANA registries.

(19) Describe reviews and automated checks performed by the Document Shepherd to 
validate sections of the document written in a formal language, such as XML code, BNF 
rules, MIB definitions, etc.

The document contains JSON-based examples, and these were validated using JSONLint.
Back