[Gen-art] Telechat review of draft-ietf-oauth-pop-architecture-07

"Matt Miller (mamille2)" <mamille2@cisco.com> Thu, 17 December 2015 02:28 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 41B231A00EE; Wed, 16 Dec 2015 18:28:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id b0zOPhxM4EUf; Wed, 16 Dec 2015 18:28:20 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 639C81A00B8; Wed, 16 Dec 2015 18:28:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5147; q=dns/txt; s=iport; t=1450319300; x=1451528900; h=from:to:cc:subject:date:message-id:mime-version; bh=VhJhJxhbDh589rU8KGkmq911oiiTvYucI03W3JAHU9c=; b=CjVxD7UyNd44w0kA/pIvfIjkmH3griKY+e8sgFbUJahEFaFjfA6bFrr/ weh+DACqL64SpxuyuzIhMXF2xWJ/2kXrn3ZbQ71ij7tIWXIqeDlBPgRan ivzAA1jLVDOAEqkVpfCcBC8sDvhOu4MCWJLHz0f+RoQcZ2JCPMzBWXdb6 g=;
X-Files: signature.asc : 496
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.20,439,1444694400"; d="asc'?scan'208";a="56268960"
Received: from alln-core-3.cisco.com ([]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Dec 2015 02:28:15 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com []) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id tBH2SFhp003867 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Dec 2015 02:28:15 GMT
Received: from xch-aln-002.cisco.com ( by XCH-RCD-005.cisco.com ( with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 16 Dec 2015 20:28:15 -0600
Received: from xch-aln-002.cisco.com ([]) by XCH-ALN-002.cisco.com ([]) with mapi id 15.00.1104.009; Wed, 16 Dec 2015 20:28:15 -0600
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: "draft-ietf-oauth-pop-architecture.all@ietf.org" <draft-ietf-oauth-pop-architecture.all@ietf.org>
Thread-Topic: Telechat review of draft-ietf-oauth-pop-architecture-07
Thread-Index: AQHROHKVVYQSBOips0K9wxldPp/27Q==
Date: Thu, 17 Dec 2015 02:28:15 +0000
Message-ID: <2A457E0F-1ADC-4C4A-B6C8-3B29DEF46BAF@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-pgp-agent: GPGMail 2.6b2
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; boundary="Apple-Mail=_AC09CE1C-30B5-43E2-A56A-7937A9A2F307"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/d1L-cA1n9XdO7Am6PXgfHZCMeb8>
Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: [Gen-art] Telechat review of draft-ietf-oauth-pop-architecture-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 02:28:22 -0000

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at


Document: draft-ietf-oauth-pop-architecture-07
Reviewer: Matthew A. Miller
Review Date: 2015-12-16
IETF LC End Date: 2015-12-15
IESG Telechat date: 2015-12-17

Summary: Almost ready.

I have several editorial nits, but also a couple of minor concerns that
I think would improve this document's readability.

I note that idnits complained about the lack of RFC 2119 boilerplate;
however, I think the text actually used in this document is most
appropriate and still conveys the intent.  The idnits also complained
about a reference to an obsolete RFC 5849; however, this reference
appears to be intentional and necessary.


Major issues:


Minor issues:

1. In Section 1. Introduction, the last paragraph makes it seem the
document isn't organized properly.  It implies an order to read the
document that is not reflected in the outline:

 * Section 1
 * Section 2
 * Section 3
 * Section 4
 * Section 6
 * Section 7
 * Section 5

Simply re-ording the document I think causes bigger problems.  While
the intro hints at the order to read, it makes more sense to me in
the order it actually is.  Ultimately, for me the problem arises with
the word "concludes".  It might simply be enough to change the last
participle from ", and concludes with a requirements list in Section 5."
to ", and lists requirements in Section 5."

2. In several places, terms of art are used that have not been defined
in this document: "resource server", "protected resource", etc.  I
think it would help if Section 2. indicated where these terms are
defined or discussed, which is RFC 6749.

Nits/editorial comments:

* The reference to draft-ietf-oauth-proof-of-possession-08 should be
updated to its latest version, although I expect RFC Editor will
resolve this before publication.

* The reference to RFC 4347 should be updated to 6347; there's no clear
requirement for the older document.

* In Section 3.1 Preventing Access Token Re-Use by the Resource Server,
"with other resource server" should be either "with another resource
server" or "with other resource servers".

* In Section 3.2 TLS and DTLS Channel Binding Support, "entity entity"
should be "entity".

* In section 3.4 Offering Application Layer End-to-End Security, The
last sentence of the last paragraph seems out of place.  It seems it
would be better as the penultimate sentence of the previous paragraph.

* In section 4. Security and Privacy Threats under "Token
manufacture/modification", "causing resource server" should be "causing
the resource server".

* Also in Section 4. Security and Privacy Threats under "Token
manufacture/modification", the normative language here seems out of
place.  It seems to me that 'may' conveys just as much as 'MAY' for
how it is used here.

* In Section 5. Requirements under "Prevent the Domino Effect",
"Resource Server" is capitalized differently than all previous uses,
but it doesn't seem to be a different use.  I suggest changing it to
"resource server".

* In Section 6.3. Key Confirmation, uses the term "privacy key" where
I believe the common nomenclature is "private key".

* In Section 7. Client and Authorization Server Interaction, I find
most of the figures a little hard to follow.  While I appreciate the
attempt to go beyond strict perpendicularity, I find it distracting
from the information it is trying to convey.

* In Section 7.1 Symmetric Keys, I think the "three ways for
communicating this session key" would benefit having bullets or
outline numbers.

* In Section 10. Acknowledgements, the second paragraph discusses an
appendix that borrows content from another document, but there is no
appendix in this draft.  Is this text still relevant?

- m&m

Matt Miller
Cisco Systems, Inc.