[OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]
Hans Zandbelt <hans.zandbelt@zmartzone.eu> Sun, 17 November 2019 20:11 UTC
Return-Path: <hans.zandbelt@zmartzone.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E91A212011D for <oauth@ietfa.amsl.com>; Sun, 17 Nov 2019 12:11:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone-eu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjU1t0pyzmmp for <oauth@ietfa.amsl.com>; Sun, 17 Nov 2019 12:11:26 -0800 (PST)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47C9912001E for <oauth@ietf.org>; Sun, 17 Nov 2019 12:11:26 -0800 (PST)
Received: by mail-qv1-xf35.google.com with SMTP id x14so5705462qvu.0 for <oauth@ietf.org>; Sun, 17 Nov 2019 12:11:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=bhcAO8scdvBbv7M4dj0lpYhHGDXnhgkHajHKGxGS8oY=; b=jEhXQGgnFZI/fITwTuAUgJvi9OSzioQHaSO6nsefRjKU9WsoteWBcEX8sU1+1G7D6m Ppje0WOP21RSIUOvMevhAKF4UE4LuFMrTohcG2tkQMHOJDJpECYPVxWYbt6AyyJVydKU 8iynNAiOis4cA4nClJnYBTx1SeaR9qQO2hKVgdb1ss+cJWww3jBw418LB1HIWH2OPwR0 9lrv/bitkok14C55PeDonnH4Jy6E/qe/OXtQAIXfgl+f/w8O+d6SZnjSjRiDtT3gDFii l08bQ6Ca1SqDYHVSeD8BnmExI0GhC78jxlYHb/DgdZ1wOJRaI5K0s0Q61KZVGv/17HmI EXzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=bhcAO8scdvBbv7M4dj0lpYhHGDXnhgkHajHKGxGS8oY=; b=hHbP5GdrDLweiKxNfuvU9hPCFxDL8GWxsgCmqX3V6j6LkCxjOtWSn+4ulxhiPdCHhK lBAETsOXBrVpCaVuHWHdqRrKsZxkrXTXy41IMjOyP9Fqjjzd/+MFrXfw7523XmpXkFjC JsOgYRND9RSVRj5qQH49DQUogPuMgPuzSVstGNmrkSFBx/8g+B28pRWEX+k4/fd26+Ld 9XIGRL3/m6j9bzjSfgN1H31ayONz7+JDdH51iYV7VpNEs/1YcNw8FczfeO6fvkYh58GG peO9GAT1265DVHwFUBNnHDpZ5Aw//HTxRCQ1PCPQoA70ZSyoaLVtVyp/Q8DIyOGQPeQ7 0N4w==
X-Gm-Message-State: APjAAAVyMX52vJuqC4mIIV20PqZBJJzA5zexoRWWyiz0V3bO2j5e812y x4Frzw61wFBwHHU8PV1GglnYEfbYv5+YOLfiebEkm9dibfo=
X-Google-Smtp-Source: APXvYqzzLFRdguIItl1xpqlkr+JB8Nj6GAEW5bOl8od07SWh2T9zX4o0JS9yrxkICj/XSrJdHLfRpIrxlHT+3vIs/hI=
X-Received: by 2002:a05:6214:407:: with SMTP id z7mr9269800qvx.169.1574021484948; Sun, 17 Nov 2019 12:11:24 -0800 (PST)
MIME-Version: 1.0
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Sun, 17 Nov 2019 21:11:14 +0100
Message-ID: <CA+iA6ui1TDn1LuQeOCXxh7gkt=CPwuQf5CCBqYUR0OZ2iOXwuQ@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007abfaf0597906ff8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0loW49RKvwGf1j_aeDKjHVp7gsc>
Subject: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2019 20:11:28 -0000
Hi, Please find my feedback from page 21 onwards below. Hans. Overall I would argue there's room for a very concise guidance section that says: do this, don't do that, without explanation, just as a reference for developers; the current text provides in depth analysis but that is perhaps not suitable for developers who just want to know what to do (or not to do) and don't really care about the background/reasoning P21 first bullet "the client has bound this data to this particular instance." -> particular instance of what? 3rd paragraph: "call to the tokens endpoint." -> "call to the token endpoint." last paragraph could forward point to the next section by adding something like "using one of the mechanisms described in the next section." P22 3rd paragraph: is the token binding guidance still accurate? it seems to be overestimating the adoption -- hans.zandbelt@zmartzone.eu ZmartZone IAM - www.zmartzone.eu
- [OAUTH-WG] review draft-ietf-oauth-security-topic… Hans Zandbelt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Torsten Lodderstedt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Hans Zandbelt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Torsten Lodderstedt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Hans Zandbelt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Torsten Lodderstedt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Rob Otto