Re: [OAUTH-WG] Review comments to PoP Architecture
"Kepeng Li" <kepeng.lkp@alibaba-inc.com> Sat, 19 September 2015 16:02 UTC
Return-Path: <kepeng.lkp@alibaba-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ADBA1B5FFA for <oauth@ietfa.amsl.com>; Sat, 19 Sep 2015 09:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.351
X-Spam-Level: **
X-Spam-Status: No, score=2.351 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fOCAsmxbAgah for <oauth@ietfa.amsl.com>; Sat, 19 Sep 2015 09:02:51 -0700 (PDT)
Received: from out4133-34.mail.aliyun.com (out4133-34.mail.aliyun.com [42.120.133.34]) by ietfa.amsl.com (Postfix) with ESMTP id D49631B2DE3 for <oauth@ietf.org>; Sat, 19 Sep 2015 09:02:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1442678568; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=E+qggXWLT+kEGO5bB4rsbnIp9Y9ybAAh/crVUF+QK+8=; b=DVgHMgvNyGHtQ6K1OV+hADhQTWOKRr1y5Iexepr8coAE7/wlpRMaqlTYNVnb9qLHG0t12gP5mgTb2vz8dwq99jD9nI3PYdFIHySvHM7jC1CcysRdegkPK/sdSut6Q52BjjPZupskiGxv7egEIbuT1qGjYMrDIPDOvM2oOdWs0Cs=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R211e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03305; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=2; SR=0;
Received: from 10.22.58.129(mailfrom:kepeng.lkp@alibaba-inc.com ip:42.120.73.208) by smtp.aliyun-inc.com(127.0.0.1); Sun, 20 Sep 2015 00:02:42 +0800
User-Agent: Microsoft-MacOutlook/14.4.8.150116
Date: Sun, 20 Sep 2015 00:02:38 +0800
From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>, oauth@ietf.org
Message-ID: <D223A7DD.1D140%kepeng.lkp@alibaba-inc.com>
Thread-Topic: [OAUTH-WG] Review comments to PoP Architecture
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3525552162_38973998"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/CzMmzaH2RYFnGnAYveaJekjGvo0>
Subject: Re: [OAUTH-WG] Review comments to PoP Architecture
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2015 16:02:55 -0000
Additional comments: 6. Section 4: 1) An attacker may generate a bogus tokens … [Kepeng] Change “tokens” to “token”. 2) A client may also re-use access tokens for some other resource servers. [Kepeng] Change “re-use” to “reuse”. The pragraph title says “reuse”. Also in other places. 3) To illustrate key confirmation the first examples borrow from Kerberos and use symmetric key cryptography. [Kepeng] Change “the first examples borrow” to “the first example is borrowed”. 7. Section 5.4 1) As a high level message, there are various ways how the threats can be mitigated and while the details of each solution is somewhat different they all ultimately accomplish the goal. [Kepeng] Change the last sentence to: the details of each solution are somewhat different even they all can ultimately accomplish the goal. 2) Depending on the chosen layer for providing client-side authentication there may be additional challenges due Web server load balancing, lack of API access to identity information, etc. [Kepeng] Change “due” to “due to”. 8. Section 6: [Kepeng] It will be better if we can divide this section into several sub-sections, e.g. each sub-section can be related to each figure. 9. Section 7: 1) [Kepeng] Usually the order for a specification is: use cases, requirements, then architecture. Why do we have requirements after architecture? Should we move this section ahead? 2) The authorization checking prevents an elevation of privilege attack, and it ensures that an unauthorized authorized is detected. [Kepeng] What is “an unauthorized authorized”? Should it be “an unauthorized access”? Kind Regards Kepeng 发件人: Li Kepeng <kepeng.lkp@alibaba-inc.com> 日期: Saturday, 19 September, 2015 12:55 am 至: <oauth@ietf.org> 主题: [OAUTH-WG] Review comments to PoP Architecture Hello authors, Please find my review comments to PoP Architecture document: https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-02 1. Introduction: At the time of writing the OAuth 2.0 protocol family ([RFC6749], [RFC6750], and [RFC6819]) offer a single standardized security mechanism to access protected resources, namely the bearer token. [Kepeng] This sentences seem to be incomplete. What offers a security mechanism? Also why do we mention “at the time of writing”? Is the situation changed now? 2. Section 3: The main use case that motivates better-than-bearer token security is the desire of resource servers to obtain additional assurance that the client is indeed authorized to present an access token. [Kepeng] About “better-than-bear”, is it a word? Maybe reword the sentence a little bit. 3.Section 3.1 1) In a legitimate use case consider chaining of computations whereby a resource server needs to consult other third party resource servers to complete the requested operation. [Kepeng] This sentence seems to be incomplete. Maybe reword it a little bit? 2) In this use case additional information is conveyed to the resource server to ensure that no entity entity has tampered with the TLS connection. [Kepeng] Change “is conveyed” to “should be conveyed”? 4. Section 3.3: First, an eavesdropper may steal an access token and represent it at a different resource server. [Kepeng] Change “represent it at” to “present it to”? 5. Section 3.4: These load balancers may terminate the TLS connection setup and HTTP traffic is transmitted in the clear from the load balancer to the resource server. [Kepeng] Don’t understand “in the clear”. Should it be “in the wire”? Kind Regards Kepeng _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Review comments to PoP Architecture Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP Architecture Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP Architecture Phil Hunt
- Re: [OAUTH-WG] Review comments to PoP Architecture Phil Hunt
- Re: [OAUTH-WG] Review comments to PoP Architecture Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP Architecture Phil Hunt