Please see attached review. I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: draft-ietf-kitten-sasl-openid-07.txt Reviewer: Brian Carpenter Review Date: 2011-11-24 IETF LC End Date: 2011-10-25 IESG Telechat date: 2011-12-01 Summary: Almost ready -------- Comments: --------- Thanks for acting on (most of) my Last Call comments. I understand that the IESG is willing to accept the OpenID and OASIS external references under the RFC 2026 rules and I have no quarrel with that. Minor issues: ------------- > 2.2. Discussion > > As mentioned above OpenID is primarily designed to interact with web- > based applications. Portions of the authentication stream are only > defined in the crudest sense. That is, when one is prompted to > approve or disapprove an authentication, anything that one might find > on a browser is allowed, including JavaScript, fancy style-sheets, > etc. Because of this lack of structure, implementations will need to > invoke a fairly rich browser in order to ensure that the > authentication can be completed. This language remains rather loose. At least, I believe, "fancy" and "fairly rich" need to be replaced by more specific terms such as "complex" and "sufficiently powerful" respectively. I think there may be interoperability issues hidden here in any case, but that is probably inevitable. > 4. OpenID GSS-API Mechanism Specification ... > The GSS-API mechanism OID for OpenID is OID-TBD (IANA to assign: see > IANA considerations). That parenthesis will need to be removed during editing. I suggest inserting a literal instance of "OID-TBD" in the IANA Considerations text too.