Re: [Gen-art] [OAUTH-WG] Genart last call review of draft-ietf-oauth-token-exchange-14

Brian Campbell <bcampbell@pingidentity.com> Fri, 10 August 2018 19:49 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30CEE130F9A for <gen-art@ietfa.amsl.com>; Fri, 10 Aug 2018 12:49:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09oWlZtoqBRB for <gen-art@ietfa.amsl.com>; Fri, 10 Aug 2018 12:49:33 -0700 (PDT)
Received: from mail-it0-x242.google.com (mail-it0-x242.google.com [IPv6:2607:f8b0:4001:c0b::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6102130F8B for <gen-art@ietf.org>; Fri, 10 Aug 2018 12:49:32 -0700 (PDT)
Received: by mail-it0-x242.google.com with SMTP id h20-v6so4254833itf.2 for <gen-art@ietf.org>; Fri, 10 Aug 2018 12:49:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XK++86pw/43xze2mEhAmQZkPTgBZh9ZIGXVtsMULTQM=; b=GN1ILiouEh8nNSiK89AKVJhzoCGIUl/rAcKqcU2dQ27Cdd5gkNufqqkD2yUwtEMlRr H9ad7WAW4VDYgyCUGiU2Ojm1gppdkVXg1261uB54MMjy6WEo9h1tnTfzIj1JrQtTAHTz 9Xv+phbPO/ijQGgXzT1ku4G/px3vl9XrX0acw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XK++86pw/43xze2mEhAmQZkPTgBZh9ZIGXVtsMULTQM=; b=jUUgV6bvIUShia221OidfuQs5Ad8OQbE7tvFC6jF+DFbjFl3jnFXC7f5zJti3UrMks b0YZ3mP4U1Q1KUMeZkYK5zIZjm5AOmq7o/UWE1GqnS00tdnTBr4JdcvFaBz+YRJXgfDM JuwLkFfsNGOsOl7BXrmaeCCK8dVWPNfHgxw4pffT7sBnp+P0FbBIoe+IF1baoASLbPdN x7PS8B+27tAvSB8VJ1lFL630rxFF7nHyZohx8QsA7xbehkhbvRdsb9HYxWr5GstmZQCP thghCfB92j8U02WZVZAxJaM024gBx35MTpq1p9cRJquHNNiY2PRhYaiEG1oSSc2eGlKO i/kg==
X-Gm-Message-State: AOUpUlG191VLbtPe2z1mjZ/lAL3sKUG+W1ry0e7Wng328YD+jFj/f2E5 OA9qLet6fwlMOCR6pGcetN4nIf98mXce/j0DFymmkdlhJIwud4WoBSFI4n00/aCMpPG1xmXlYRY 5wGkorgwoQU5v6+VB
X-Google-Smtp-Source: AA+uWPwS7RRESrRVIYUgCeE7YxuWghrpfs7rCtE7zpVZU4L8XpcR6Y1vURUoYh/seiWR4I2cCdXsOwmxsEedlaIjxiU=
X-Received: by 2002:a24:19d5:: with SMTP id b204-v6mr3297526itb.25.1533930571878; Fri, 10 Aug 2018 12:49:31 -0700 (PDT)
MIME-Version: 1.0
References: <153330418307.18499.9986651355808523631@ietfa.amsl.com>
In-Reply-To: <153330418307.18499.9986651355808523631@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 10 Aug 2018 13:49:04 -0600
Message-ID: <CA+k3eCTdkY+VDmCP0vgHU387t5=jxM_GjvmYfEgZdrjHm+5S6w@mail.gmail.com>
To: Jari Arkko <jari.arkko@piuha.net>
Cc: gen-art@ietf.org, draft-ietf-oauth-token-exchange.all@ietf.org, ietf@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d8f4a905731a0aa5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/f-oLQKRMxUBKnbugNRSA-M0fU0o>
Subject: Re: [Gen-art] [OAUTH-WG] Genart last call review of draft-ietf-oauth-token-exchange-14
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2018 19:49:35 -0000

Thanks for the review Jari,

Regarding minimizing details, I'm thinking that incorporating some text
along the lines of what's in the Privacy Considerations of RFC 7523
<https://tools.ietf.org/html/rfc7523#section-7> might be a worthwhile
addition.


On Fri, Aug 3, 2018 at 7:49 AM Jari Arkko <jari.arkko@piuha.net> wrote:

> Reviewer: Jari Arkko
> Review result: Ready
>
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
>
> For more information, please see the FAQ at
>
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
>
> Document: draft-ietf-oauth-token-exchange-14
> Reviewer: Jari Arkko
> Review Date: 2018-08-03
> IETF LC End Date: 2018-08-06
> IESG Telechat date: Not scheduled for a telechat
>
> Summary:
>
> This specification describes a standardised protocol for requesting and
> receiving security tokens from an OAuth 2.0 authorisation service.
>
> I had no experience on OAuth previously, but the document was
> understandable
> and as far as I could determine, had no major issues.
>
> It was a bit more difficult to determine completeness.  Security and
> privacy
> considerations sections were quite short, for instance, and maybe that's
> justifiable given the ability to refer to prior RFCs on this subject.
> However,
> I suspect one could say more, e.g., Section 7 says "Tokens typically carry
> personal information and their usage in Token Exchange may  reveal details
> of
> the target services being accessed", but it does not offer any advice on
> how
> such details might be minimised. But perhaps that's already in another RFC
> as
> well.
>
> Major issues:
>
> Minor issues:
>
> Nits/editorial comments:
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._