Re: [OAUTH-WG] Artart last call partial review of draft-ietf-oauth-iss-auth-resp-02
Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Mon, 15 November 2021 14:59 UTC
Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 734623A0D30 for <oauth@ietfa.amsl.com>; Mon, 15 Nov 2021 06:59:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqDHuduqN97s for <oauth@ietfa.amsl.com>; Mon, 15 Nov 2021 06:58:59 -0800 (PST)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C8FA3A0D35 for <oauth@ietf.org>; Mon, 15 Nov 2021 06:58:58 -0800 (PST)
Received: by mail-ed1-x531.google.com with SMTP id z5so13311377edd.3 for <oauth@ietf.org>; Mon, 15 Nov 2021 06:58:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; h=message-id:date:mime-version:user-agent:content-language:to:cc :references:from:subject:in-reply-to; bh=Qkh0pREqYDb+IcuA/L8kwTK4vbHaWNlINtmTh9BGzEw=; b=qgBqZui56ZK1UNvL+UdL6TMnJpSigZUGcfO7lQKOythSPevKElVB04aerrySl7/zJd L0p1po3ZEHlgWqfbtvd42Rtv6GHI8q1vYM3ILW+E7iWkJu8JY4kKVNxMj9AQZX0KFgE1 4GbtJfKmynEuNINY6zs7ZV3ZDDnJE+4W5sW5g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:subject:in-reply-to; bh=Qkh0pREqYDb+IcuA/L8kwTK4vbHaWNlINtmTh9BGzEw=; b=nD9r3Q06A4avZOVRRKxmVF8LAZWkAAcy+t8JAGs5uWFVseXXvt5YyaLRH+Cxj3hddQ 5xNkJ+gTaPno7eB2Fohg27v1EWYu2Flo7xDH9YQaORRetKSq7I8Fssqr3LQjwhs0w+og lH4ql2Pgh14uktm8sguSGkecrLZ6yINAIuDOCf8krTpM3W2sRy51vG1L7/KkN+mm9XZ1 mOl2pM26WOiiKGEdNjOT2IXhqbsgPsq32b3bUTqqA3jIqr8hZiZlc7zkV2rRdkzXJD4s fSL4DyQSsLW6RNqlJsj/4yVobAAxOGT82GcPCEPrycOzrWLCmEvsC1zp4kh0zeTZB8mB Hj3A==
X-Gm-Message-State: AOAM531G12g4OxuJVnsB31KgVMLqLcFdmOVQ1Ruk4Ex5nFaA9spOFNs4 kURdX9WgqnfSENPgnG6A33bP2V9Sn4niYw==
X-Google-Smtp-Source: ABdhPJz7huZ1vlMvNiYvsnLzLamFZntuPXq3Tftg/n/eohxqe7caWQrRuC07P62Wt3ASBjmBBSUfmw==
X-Received: by 2002:a17:906:6dc9:: with SMTP id j9mr52325308ejt.317.1636988335436; Mon, 15 Nov 2021 06:58:55 -0800 (PST)
Received: from [10.10.11.6] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id x15sm3747840edq.65.2021.11.15.06.58.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Nov 2021 06:58:54 -0800 (PST)
Message-ID: <7c515322-b19f-a1a6-e36a-100ff8d8ef58@hackmanit.de>
Date: Mon, 15 Nov 2021 15:58:53 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Julian Reschke <julian.reschke@gmx.de>, art@ietf.org
Cc: draft-ietf-oauth-iss-auth-resp.all@ietf.org, last-call@ietf.org, oauth@ietf.org
References: <163576279118.23946.14747101192871915313@ietfa.amsl.com>
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
In-Reply-To: <163576279118.23946.14747101192871915313@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------XJnnrqGiOOgNZpSnXjtJMsMq"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-E3uAeOOlV1AEebKoawnHf4JDhg>
Subject: Re: [OAUTH-WG] Artart last call partial review of draft-ietf-oauth-iss-auth-resp-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2021 14:59:05 -0000
Hi Julian, thank you for your comments. Answers inline We mostly addressed them locally and will publish a new version when all IESG reviews are available and addressed by us. Best regards, Karsten On 01.11.2021 11:33, Julian Reschke via Datatracker wrote: > Review is partially done. Another assignment may be needed to complete it. > > Reviewer: Julian Reschke > Review result: Almost Ready > > (I have reviewed this with zero knowledge of OAuth, so additional review > probably would be good) > > Major issues: > > 2.4 > > "Clients MUST compare the extracted and URL-decoded value to the issuer > identifier of the authorization server where the authorization request was sent > to." > > I'm not sure that "URL-decoded" is correct with respect to decoding query > parameters. Consider URLs containing "+" or "=". You probably need the encoding > rules for application/x-www-form-urlencoded instead. Good point. We changed the text to refer to application/x-www-form-urlencoded. > > Minor issues: > > References to registries should not be listed as normative. +1 that was an editorial mistake. Fixed. > > Nits: > > Section links to external documents do not appear to be marked up as such (and > use a trailing dot in the section number which they should not) I am acutally not sure how to fix this. I removed the trailing dot (thanks for the hint) but when converting markdown to XML the section is not automatically recognized. My markdown looks like this: The authorization response as specified in Section 4.1.2 of [@!RFC6749] The XML file like this: The authorization response as specified in Section 4.1.2 of <xref target="RFC6749"></xref> Is there some example how to link the sections in external RFCs or should we create the links manually? > > There are no Acks; so section 6 should be deleted (if there were acksm they > should go into an unnumbered section at the end of the document) We added missing Acks and moved them to the appendix. > > > -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog: https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
- [OAUTH-WG] Artart last call partial review of dra… Julian Reschke via Datatracker
- Re: [OAUTH-WG] Artart last call partial review of… Karsten Meyer zu Selhausen