Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 06 January 2017 21:25 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0501129F16 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2017 13:25:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yHAN9W7SAMyP for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2017 13:25:49 -0800 (PST)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 034B9129F15 for <oauth@ietf.org>; Fri, 6 Jan 2017 13:25:49 -0800 (PST)
Received: by mail-qt0-x22e.google.com with SMTP id v23so90224312qtb.0 for <oauth@ietf.org>; Fri, 06 Jan 2017 13:25:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=l+Ern7yHBFRELKNeBg61EhASs2oSd8BHR16xCZ2EMLg=; b=ag0pErTUIn4OGP9n6ZGlDuCYgJ1ZNwP3V+iZj0kqrmSdMgSUfCLpYVbarZcWgfhYMZ 1Ff2UsvGBHR+zP2PVUB0yDY9CdBSIBwmjUuWhrcN+2LryEhURPgLe9C/Rzhwhy+HAxU+ jge2FYtVaOD8bLGCn52Ej23iFP9wm4iZsHltjFLGNa2wrg72LVu/WtFIrdQHHVOp7GED l94i7ZtFWU4OaJyFzsArZQcfkEWDyxeL3lemCiLkIFQH4NsSxBetkvf4OfIJ/o73gtDS 1mtXBWI4uLZ6mwPZqOf24eFPdlQdyVp0f1nafSXMGwL7ATYCi5o5hIY7LD0+sZsBRqgB wVTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=l+Ern7yHBFRELKNeBg61EhASs2oSd8BHR16xCZ2EMLg=; b=F2meyaEuColS3P/GU4YL7zCB63ms9SAoByfdmf2xyW5byaO0nWie0jH8mVXoHc1FoW PDL24BMeiMdttfbwcwVsHUIgiwqAzQv+H2M5ioMbO/6xt4SPllMaJvmsc4XQAbk+QKFQ CAoyFNX56t0pZqRBJUDv6tscAksWXpfYkNogS/De9CZnHZSBg32vgfwKq5F5v/TneRQ7 fyOh3UzoBnKfaOm7z3cGlK1lm8XrFynI2Dq2D2LjVsKEM2RfogKKUkoESXxdDXG9Fn4s n2Cc/1k2CbO5aCcKV0mIAt/ngjeFPZDVuOBhpduXa62nDUJgXhkryOK70zrtX8mfxYB0 lZqQ==
X-Gm-Message-State: AIkVDXI69F1YHL88xswfdTLF09Jsq+CuXDej7oyRsDa08Az+1p/jSxAVqcQx1OjZjohz96HGvTyB9PP3cSNAdg==
X-Received: by 10.200.42.106 with SMTP id l39mr71809877qtl.280.1483737948150; Fri, 06 Jan 2017 13:25:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.161.101 with HTTP; Fri, 6 Jan 2017 13:25:47 -0800 (PST)
In-Reply-To: <CAHbuEH7Y=O6e65mpuq1_PQZREiRgsW7UR0jLdKhGcvMm3fcoKw@mail.gmail.com>
References: <CAHbuEH4Vxdda4yUH932GEZjEiLi1KdYU9_1MLoLAn_AZA=41Yw@mail.gmail.com> <CABzCy2BoAYtpsbU6Pi3rimVOdQcsop=P5k3-+9BLoNXmi8Pc9w@mail.gmail.com> <CAHbuEH7Y=O6e65mpuq1_PQZREiRgsW7UR0jLdKhGcvMm3fcoKw@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 6 Jan 2017 16:25:47 -0500
Message-ID: <CAHbuEH7cM5Kp-_aADbgYCAvwVFK=thBybhFjcpBn5uQQWqB1+Q@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Content-Type: multipart/alternative; boundary=001a114789c456df23054573a921
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Eg6dqFD72A6jlR6A34ZMQMWIYw0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2017 21:25:51 -0000

Hello,

I have added this document to the telechat on 2/2 and can bump it out
further if needed.  The comments that are outstanding should be addressed
and a new draft published.  Once there is agreement on the updates and the
version has been published, I'll start IETF last call.

Thank you & happy new year!
Kathleen

On Wed, Dec 28, 2016 at 11:27 AM, Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com> wrote:

> Hi Nat,
>
> Thank you for the updates.  Please let me know when you publish a new
> version.  I'll start last call after the new year.  inline.
>
> On Tue, Dec 27, 2016 at 7:57 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>
>> Hi
>>
>> Sorry to have taken so long to respond -- too much travel.
>>
>
> I hope you are able to rest a bit!
>
>
>>
>> My responses inline.
>>
>> On Sat, Oct 29, 2016 at 12:39 AM Kathleen Moriarty <
>> kathleen.moriarty.ietf@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I just reviewed draft-ietf-oauth-jwsreq, and it looks great and seems to
>>> be a nice addition to help with security.  Thanks for your work on it.
>>>
>>> I only have a few comments.
>>>
>>> The first is just about some wording that is awkward in the TLS section.
>>>
>>> What's there now:
>>>
>>> Client implementations supporting the Request Object URI method MUST
>>>    support TLS as recommended in Recommendations for Secure Use of
>>>    Transport Layer Security (TLS) and Datagram Transport Layer Security
>>>    (DTLS) [RFC7525].
>>>
>>> How about:
>>>
>>> Client implementations supporting the Request Object URI method MUST
>>>    support TLS following Recommendations for Secure Use of
>>>    Transport Layer Security (TLS) and Datagram Transport Layer Security
>>>    (DTLS) [RFC7525].
>>>
>>> Not a major change and just editorial, so take it or leave it.
>>>
>>
>> Accepted as presented in my personal copy.
>> See: https://bitbucket.org/Nat/oauth-jwsreq/commits/0de915b22f13
>>
>>
>>>
>>> 2. In section 10, the introduction sentence leaves me wondering where
>>> the additional attacks against OAuth 2.0 should also have a pointer in this
>>> sentence:
>>>
>>>    In addition to the all the security considerations discussed in OAuth
>>>    2.0 [RFC6819], the following security considerations should be taken
>>>    into account.
>>>
>>>
>>>
>> An IETF document about them has not been adopted yet. Shall I just add a
>> sentence or two describing the threats that each sub-sections are dealing
>> with? Or shall I point to the research papers that I was reading? (Some of
>> them are not freely available though.)
>>
>
> Any document that describes them will likely be an 'updates' to the OAuth
> spec, so we should be okay.  Is the WG likely to adopt a draft soon?  If
> so, we could wait to start IETF last call.
>
>
>>
>>> 3. Nit: in first line of 10.4:
>>>
>>> Although this specification does not require them, researchs
>>>
>>> s/researchs/researchers/
>>>
>>
>> In fact, I meant either "research" or "researches" as I was not pointing
>> to persons but rather the work done by them.
>> I fixed it as "research" in my personal copy.
>> See: https://bitbucket.org/Nat/oauth-jwsreq/commits/0ec83d0c0c36
>>
>>
>>> 4. I'm sure you'll be asked about the following:
>>>
>>>    ISO/IEC 29100
>>>    [ISO29100] is a freely accessible International Standard and its
>>>    Privacy Principles are good to follow.
>>>
>>> What about the IETF privacy considerations for protocols, RFC6973, were
>>> they also considered?  I think you are covering what's needed, but no
>>> mention of it and favoring an ISO standard seems odd., using both is fine.
>>>
>>
>> Good point. ISO/IEC 29100 is a high level document so the coverage is
>> wider but does not get into concrete details where as RFC6973 gives more
>> concrete guidance.  They complement each other. I have added a paragraph
>> about RFC6873 in my personal copy.
>>
>> See: https://bitbucket.org/Nat/oauth-jwsreq/commits/9030e1be5cac
>>
>>
> I think you've covered the important privacy considerations from 6973, so
> the statement added on it should make that clear so the reader knows you've
> done the work for them already.
>
> Please let me know when the update has been posted.
>
> Thank you,
> Kathleen
>
>>
>>> Thank you.
>>> --
>>>
>>> Best regards,
>>> Kathleen
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> --
>>
>> Nat Sakimura
>>
>> Chairman of the Board, OpenID Foundation
>>
>
>
>
> --
>
> Best regards,
> Kathleen
>



-- 

Best regards,
Kathleen