[OAUTH-WG] Review of draft-ietf-oauth-pop-architecture-00
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 28 August 2014 07:05 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 529D71A06A1 for <oauth@ietfa.amsl.com>; Thu, 28 Aug 2014 00:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.168
X-Spam-Level:
X-Spam-Status: No, score=-15.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z2AoVgGalqnP for <oauth@ietfa.amsl.com>; Thu, 28 Aug 2014 00:05:16 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B02261A0694 for <oauth@ietf.org>; Thu, 28 Aug 2014 00:05:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7170; q=dns/txt; s=iport; t=1409209515; x=1410419115; h=from:to:subject:date:message-id:mime-version; bh=GHRuzR9yaD0ENhlUUqPkyNnhQ4Ysp7sWkPJfyQtlkuA=; b=WyegJY9fwGHERfrN0lSsTSegKiAfChI5Jy2ooP07pw9jTNht25rXGE1D QIgF/i6QblA9COCF44A+Y4QpRyg4mObPIkADufnvbp7neS2PeLLAqxcXT y7vRlVUo9IBKifyOfrn1JNdFDL+67H1n4Ub3DXYwBHIBa95hsnM7yHGS0 A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag0FAALU/lOtJV2Y/2dsb2JhbABbgkdGU1vTdQGBGBZ3hAUBBC1FGQEaEFYXDwEEG4g6myajaRePG4NngR0FkS+gQ4NegjSBBwEBAQ
X-IronPort-AV: E=Sophos;i="5.04,416,1406592000"; d="scan'208,217";a="350674419"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-1.cisco.com with ESMTP; 28 Aug 2014 07:05:14 +0000
Received: from xhc-aln-x06.cisco.com (xhc-aln-x06.cisco.com [173.36.12.80]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s7S75DNG006335 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Thu, 28 Aug 2014 07:05:13 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.68]) by xhc-aln-x06.cisco.com ([173.36.12.80]) with mapi id 14.03.0195.001; Thu, 28 Aug 2014 02:05:13 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Review of draft-ietf-oauth-pop-architecture-00
Thread-Index: Ac/CjmcIsOP9pHNQQxmOz32kneaCNg==
Date: Thu, 28 Aug 2014 07:05:13 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A2831D1E6@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.49.215]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A2831D1E6xmbrcdx10ciscoc_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/BfKwcayifODZ3a04r0iHnw_M8VI
Subject: [OAUTH-WG] Review of draft-ietf-oauth-pop-architecture-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 07:05:18 -0000
My comments:
1) Figure 3: Resource server in the response could also generate Signature/MAC to prove the client that it is in possession of cryptographic keying material.
2) Section 3.2:
Will new HTTP headers be defined in one of the PoP drafts for the application layer to carry the TLS channel binding information ?
3)Section 3.3: It is covering various attack scenarios except active, man-in-middle attack.
4)Why only discuss TLS and not DTLS ?
5)Section 3.4: Enterprise networks, ISP etc. may also deploy HTTP(S) proxy.
6)Please explain scenarios in which using asymmetric cryptography is better suited for PoP than using symmetric cryptography.
7)I don't see any discussion on HMAC algorithm negotiation b/w the client and resource server.
It may help to define mandatory to implement and default algorithms.
8)Protocols like Dynamic Symmetric Key Provisioning Protocol (DSKPP) (RFC6063) could be considered for long-term secret b/w the AS and RS.
9)Nit> Figure 4: Add arrows for (V) and (IV)
10) AS-to-RS Relationship Anonymity:
This MAC Token security does not provide AS-to-RS relationship
anonymity since the client has to inform the resource server about
the resource server it wants to talk to.
Nit> I think you meant "inform the authorization server about the resource server it wants to talk to"
Cheers,
-Tiru
- [OAUTH-WG] Review of draft-ietf-oauth-pop-archite… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Review of draft-ietf-oauth-pop-arc… Hannes Tschofenig