[OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-spop-12: (with COMMENT)
"Ben Campbell" <ben@nostrum.com> Tue, 09 June 2015 21:31 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65B071A1B14; Tue, 9 Jun 2015 14:31:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N5ZWsB4ORNNR; Tue, 9 Jun 2015 14:31:18 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFC81A1AFF; Tue, 9 Jun 2015 14:31:18 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Ben Campbell <ben@nostrum.com>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150609213118.20446.71588.idtracker@ietfa.amsl.com>
Date: Tue, 09 Jun 2015 14:31:18 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/IZhTKuWeAm7QtAc_vNLZ0zbhbWg>
X-Mailman-Approved-At: Wed, 10 Jun 2015 06:21:52 -0700
Cc: draft-ietf-oauth-spop@ietf.org, oauth-chairs@ietf.org, draft-ietf-oauth-spop.shepherd@ietf.org, oauth@ietf.org, draft-ietf-oauth-spop.ad@ietf.org
Subject: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-spop-12: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2015 21:31:20 -0000
Ben Campbell has entered the following ballot position for draft-ietf-oauth-spop-12: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I share Barry's and Alexey's concerns about both allowing "plain" and defaulting to it. I have some other comments, which may overlap with the comments from others: Substantive: -- section 1, pre-condition 3: "All OAuth 2.0 native app client-instances use the same client_id. Secrets provisioned in client binary applications cannot be considered confidential." Is that part of the pre-condition per-se, or a general statement? If the former, wouldn't a potential mitigation for this attack be to ensure the precondition doesn't occur? -- section 1, paragraph after precondition list: "not applicable since they rely on a per-client instance secret or aper client instance redirect URI." I infer that these are not realistic? If so, it might be useful to say why. For instance, would one way to mitigate this attack be to make sure you have per-client secrets and redirect URIs? -- 4.4.1, last sentence: Does this advice change if people register new challenge methods? That is, what if the client supports "plain", and "foo" but not S256, where foo is more secure than plain. Can it still use "plain"? -- 6.2: Does the ability to register new challenge methods introduce bid-down attacks? (Assuming that any such method is more secure than "plain", and that the server might not support it.) Also, I share Barry's concern that the registration procedures require quite a bit of special treatment from IANA. -- 7.4: This seems to need a normative reference to 6819. -- 7.5: How does the guidance in section 10.8 of 6479 apply to the code_verifier? Also, I think the last sentence requires this draft (or some other) to update 6749. Editorial: -- 4.4, 2nd to last paragraph: "The server MUST NOT include the "code_challenge" value in client requests in a form that other entities can extract." should "client requests" be "responses to clients"? (I assume the server does not send client requests--or do I have the terminology wrong?) -- 4.4.1, first paragraph: Please expand PKCE on first mention. (It might help to declare PKCE in the introduction.)
- [OAUTH-WG] Ben Campbell's No Objection on draft-i… Ben Campbell
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Nat Sakimura