[Gen-art] Telechat review of draft-ietf-oauth-pop-architecture-07
"Matt Miller (mamille2)" <mamille2@cisco.com> Thu, 17 December 2015 02:28 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41B231A00EE; Wed, 16 Dec 2015 18:28:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0zOPhxM4EUf; Wed, 16 Dec 2015 18:28:20 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 639C81A00B8; Wed, 16 Dec 2015 18:28:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5147; q=dns/txt; s=iport; t=1450319300; x=1451528900; h=from:to:cc:subject:date:message-id:mime-version; bh=VhJhJxhbDh589rU8KGkmq911oiiTvYucI03W3JAHU9c=; b=CjVxD7UyNd44w0kA/pIvfIjkmH3griKY+e8sgFbUJahEFaFjfA6bFrr/ weh+DACqL64SpxuyuzIhMXF2xWJ/2kXrn3ZbQ71ij7tIWXIqeDlBPgRan ivzAA1jLVDOAEqkVpfCcBC8sDvhOu4MCWJLHz0f+RoQcZ2JCPMzBWXdb6 g=;
X-Files: signature.asc : 496
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAwBEHXJW/4gNJK1egzpSbQEFvW8OgWIhhWyBLDgUAQEBAQEBAX8LhDcEeRIBGgJkFxAEDhOIIQ6+OAEBAQEBAQEBAQEBAQEBAQEBARIJiGWHMDmDK4EaBZMGg3YBgQuBYYFiaoJxhR6BXEmDfIMok1EBIAFDhARzg2WBCAEBAQ
X-IronPort-AV: E=Sophos;i="5.20,439,1444694400"; d="asc'?scan'208";a="56268960"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Dec 2015 02:28:15 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id tBH2SFhp003867 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Dec 2015 02:28:15 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 16 Dec 2015 20:28:15 -0600
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1104.009; Wed, 16 Dec 2015 20:28:15 -0600
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: "draft-ietf-oauth-pop-architecture.all@ietf.org" <draft-ietf-oauth-pop-architecture.all@ietf.org>
Thread-Topic: Telechat review of draft-ietf-oauth-pop-architecture-07
Thread-Index: AQHROHKVVYQSBOips0K9wxldPp/27Q==
Date: Thu, 17 Dec 2015 02:28:15 +0000
Message-ID: <2A457E0F-1ADC-4C4A-B6C8-3B29DEF46BAF@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-pgp-agent: GPGMail 2.6b2
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.58.8]
Content-Type: multipart/signed; boundary="Apple-Mail=_AC09CE1C-30B5-43E2-A56A-7937A9A2F307"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/d1L-cA1n9XdO7Am6PXgfHZCMeb8>
Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: [Gen-art] Telechat review of draft-ietf-oauth-pop-architecture-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 02:28:22 -0000
I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Document: draft-ietf-oauth-pop-architecture-07 Reviewer: Matthew A. Miller Review Date: 2015-12-16 IETF LC End Date: 2015-12-15 IESG Telechat date: 2015-12-17 Summary: Almost ready. I have several editorial nits, but also a couple of minor concerns that I think would improve this document's readability. I note that idnits complained about the lack of RFC 2119 boilerplate; however, I think the text actually used in this document is most appropriate and still conveys the intent. The idnits also complained about a reference to an obsolete RFC 5849; however, this reference appears to be intentional and necessary. ----- Major issues: Nnne. Minor issues: 1. In Section 1. Introduction, the last paragraph makes it seem the document isn't organized properly. It implies an order to read the document that is not reflected in the outline: * Section 1 * Section 2 * Section 3 * Section 4 * Section 6 * Section 7 * Section 5 Simply re-ording the document I think causes bigger problems. While the intro hints at the order to read, it makes more sense to me in the order it actually is. Ultimately, for me the problem arises with the word "concludes". It might simply be enough to change the last participle from ", and concludes with a requirements list in Section 5." to ", and lists requirements in Section 5." 2. In several places, terms of art are used that have not been defined in this document: "resource server", "protected resource", etc. I think it would help if Section 2. indicated where these terms are defined or discussed, which is RFC 6749. Nits/editorial comments: * The reference to draft-ietf-oauth-proof-of-possession-08 should be updated to its latest version, although I expect RFC Editor will resolve this before publication. * The reference to RFC 4347 should be updated to 6347; there's no clear requirement for the older document. * In Section 3.1 Preventing Access Token Re-Use by the Resource Server, "with other resource server" should be either "with another resource server" or "with other resource servers". * In Section 3.2 TLS and DTLS Channel Binding Support, "entity entity" should be "entity". * In section 3.4 Offering Application Layer End-to-End Security, The last sentence of the last paragraph seems out of place. It seems it would be better as the penultimate sentence of the previous paragraph. * In section 4. Security and Privacy Threats under "Token manufacture/modification", "causing resource server" should be "causing the resource server". * Also in Section 4. Security and Privacy Threats under "Token manufacture/modification", the normative language here seems out of place. It seems to me that 'may' conveys just as much as 'MAY' for how it is used here. * In Section 5. Requirements under "Prevent the Domino Effect", "Resource Server" is capitalized differently than all previous uses, but it doesn't seem to be a different use. I suggest changing it to "resource server". * In Section 6.3. Key Confirmation, uses the term "privacy key" where I believe the common nomenclature is "private key". * In Section 7. Client and Authorization Server Interaction, I find most of the figures a little hard to follow. While I appreciate the attempt to go beyond strict perpendicularity, I find it distracting from the information it is trying to convey. * In Section 7.1 Symmetric Keys, I think the "three ways for communicating this session key" would benefit having bullets or outline numbers. * In Section 10. Acknowledgements, the second paragraph discusses an appendix that borrows content from another document, but there is no appendix in this draft. Is this text still relevant? -- - m&m Matt Miller Cisco Systems, Inc.
- [Gen-art] Telechat review of draft-ietf-oauth-pop… Matt Miller (mamille2)
- Re: [Gen-art] Telechat review of draft-ietf-oauth… Kathleen Moriarty
- Re: [Gen-art] Telechat review of draft-ietf-oauth… Phil Hunt
- Re: [Gen-art] Telechat review of draft-ietf-oauth… Matt Miller (mamille2)