[OAUTH-WG] Fwd: Gen-ART Telechat review of draft-ietf-oauth-v2-25
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 10 April 2012 13:57 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E20F11E80BE for <oauth@ietfa.amsl.com>; Tue, 10 Apr 2012 06:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.566
X-Spam-Level:
X-Spam-Status: No, score=-102.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Da2Yt5bXJ+pE for <oauth@ietfa.amsl.com>; Tue, 10 Apr 2012 06:57:16 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 1DC1F21F865B for <oauth@ietf.org>; Tue, 10 Apr 2012 06:57:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 5FB2F171479 for <oauth@ietf.org>; Tue, 10 Apr 2012 14:57:15 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1334066234; bh=8KU4/N7iBLjvlb n/MUC+WLpbXy7wa2DDWGwENRaJFRY=; b=ks3689l/4F/rbnr58gKLGEXs+mJNNm qGPfjrNRmv2Ch1E6CisdQWLh6XoSj7uiN7Zi0SDHOp3Dnk+LOlVZW0FPXIDRjFCr 8e8ACEtircLPK3CWwpngSh83OQeuF8vfdcwI1nKfXYp/s3jI6eapDu+7avOOooe3 /PJF1DWWcvQ9vcBpeICrxLEL6st6GwQGFkKvscfVwGvylCIvUEwPwO/oQYX3fTYR eM6TZu3o6LwaSlMLVWZt/Mi0ar64UBggmK2DY0ifC+xZCK4DhyQaGI8SHVbU25Sz XSQLxY6kztsydu5aa4FzR4JtUId1RBE5DCO4TKETllefiydP07/bKeHg==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 9uYrA45PknVL for <oauth@ietf.org>; Tue, 10 Apr 2012 14:57:14 +0100 (IST)
Received: from [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c] (unknown [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id DD6B2171472 for <oauth@ietf.org>; Tue, 10 Apr 2012 14:57:14 +0100 (IST)
Message-ID: <4F843C3B.3040009@cs.tcd.ie>
Date: Tue, 10 Apr 2012 14:57:15 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
References: <22E22875-8112-42A3-974D-770167AB9536@bbn.com>
In-Reply-To: <22E22875-8112-42A3-974D-770167AB9536@bbn.com>
X-Forwarded-Message-Id: <22E22875-8112-42A3-974D-770167AB9536@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] Fwd: Gen-ART Telechat review of draft-ietf-oauth-v2-25
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2012 13:57:17 -0000
FYI in case some aren't on ietf@ietf.org Having responses to these before Thursday would be good. Its often the case that some AD will turn some of these points into a DISCUSS so good to know what can be cleared up easily and what might need further discussion before the telechat. S -------- Original Message -------- Subject: Gen-ART Telechat review of draft-ietf-oauth-v2-25 Date: Tue, 10 Apr 2012 09:11:19 -0400 From: Richard L. Barnes <rbarnes@bbn.com> To: General Area Review Team <gen-art@ietf.org>, draft-ietf-oauth-v2.all@tools.ietf.org, IETF-Discussion list <ietf@ietf.org> I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Document: draft-ietf-oauth-v2.txt Reviewer: Richard Barnes Review Date: 10 Apr 2012 IETF LC End Date: IESG Telechat Date: 12 Apr 2012 Summary: Almost ready, but with some gaps that need to be addressed MAJOR: General: At several points, the document seems to deal in plain-text usernames and passwords, ranging from the requirement for HTTP Basic authentication (2.3.1) to the explicit username and password fields one of the grant types (4.3.2, 10.7). In these cases, it seems like it would encourage better security practices to use some sort of digest or other secure scheme for proving ownership of passwords. Otherwise, there's a risk that proxies, caches, etc. will have access to users' plaintext credentials. General: The document requires the Authorization Server to distinguish between confidential and public clients at several points. It's not clear, however, how the server is supposed to tell which is which. Perhaps Section 2.1 could elaborate a little more on this? 4: Throughout the document, the assumption is that the client is moved from one URI to another via HTTP redirects (302 responses). Could the protocol also accommodate other techniques of moving clients around, e.g., in JavaScript (setting window.location). It seems like this could make deployment much easier in some cases. 10.3: This section seems to ignore the risk of client impersonation at the resource server. Just as with client credentials in Section 10.2, if an access token is compromised, then it could be presented by another party in order to access the protected resource. So the Resource Server needs to authenticate the client and validate that the token goes with the client, in addition to just checking the validity of the token. 10: Throughout this section, there are mentions of which parameters require secure transmission/storage and which do not. It would be helpful to summarize these requirements, say in a table at the end of the section. MINOR: 2.3.1: When you say "request body" in this section, do you actually mean "query"? I don't see a prohibition on GET here, in which case the parameters would be in the URI query section. 3.1.2.2: It seems like an explicit requirement would be helpful here, e.g.: " The Authorization Server MUST verify that either no redirect_uri is provided (in which case it uses the registered URI), or else that the provided redirect_uri matches the registered redirection URI for the authenticated client_id (where the match can be based on a full or partial registered URI). " 4.1.3: Why does this request use redirect_uri and not client_id to identify the client? (Or both?) It seems like involving the client_id would better support the goal of client authentication, in order to mitigate the risk of client impersonation. 4.3.2: Shouldn't there be a client authentication here? (In particular, a client_id.) Otherwise, it seems like this is essentially the same as the flow in 4.4. 7. It seems like it would be helpful to have a way to pass access tokens in the request URI / query in some deployment cases (e.g., a JavaScript based client). Is there any particular reason this was excluded? EDITORIAL: 3. Would be helpful to note here that these endpoints are in addition to the resource endpoint (the one started out to protect), which is handled in Section 7. 3.2: It's not clear why only POST is allowed here. A couple of words of explanation would help. 5.1: Why bother with a case-insensitive token_type here? It doesn't look like anything else in the whole document has this property.
- [OAUTH-WG] Fwd: Gen-ART Telechat review of draft-… Stephen Farrell