[OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-spop-12: (with COMMENT)

"Ben Campbell" <ben@nostrum.com> Tue, 09 June 2015 21:31 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 65B071A1B14; Tue, 9 Jun 2015 14:31:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id N5ZWsB4ORNNR; Tue, 9 Jun 2015 14:31:18 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFC81A1AFF; Tue, 9 Jun 2015 14:31:18 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Ben Campbell <ben@nostrum.com>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150609213118.20446.71588.idtracker@ietfa.amsl.com>
Date: Tue, 09 Jun 2015 14:31:18 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/IZhTKuWeAm7QtAc_vNLZ0zbhbWg>
X-Mailman-Approved-At: Wed, 10 Jun 2015 06:21:52 -0700
Cc: draft-ietf-oauth-spop@ietf.org, oauth-chairs@ietf.org, draft-ietf-oauth-spop.shepherd@ietf.org, oauth@ietf.org, draft-ietf-oauth-spop.ad@ietf.org
Subject: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-spop-12: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2015 21:31:20 -0000

Ben Campbell has entered the following ballot position for
draft-ietf-oauth-spop-12: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


I share Barry's and Alexey's concerns about both allowing "plain" and
defaulting to it.  I have some other comments, which may overlap with the
comments from others:


-- section 1, pre-condition 3: "All OAuth 2.0 native app client-instances
use the same client_id.  Secrets provisioned in client binary
applications cannot be considered confidential."

Is that part of the pre-condition per-se, or a general statement? If the
former, wouldn't a potential mitigation for this attack be to ensure the
precondition doesn't occur?

-- section 1, paragraph after precondition list: "not applicable since
they rely on a per-client instance secret or aper client instance
   redirect URI."

I infer that these are not realistic? If so, it might be useful to say
why. For instance, would one way to mitigate this attack be to make sure
you have per-client secrets and redirect URIs?

-- 4.4.1, last sentence:

Does this advice change if people register new challenge methods?  That
is, what if the client supports "plain", and "foo" but not S256, where
foo is more secure than plain. Can it still use "plain"?

-- 6.2:

Does the ability to register new challenge methods introduce bid-down
attacks? (Assuming that any such method is more secure than "plain", and
that the server might not support it.)

Also, I share Barry's concern that the registration procedures require
quite a bit of special treatment from IANA.

-- 7.4:

This seems to need a normative reference to 6819.

-- 7.5: How does the guidance in section 10.8 of 6479 apply to the
code_verifier? Also, I think the last sentence requires this draft (or
some other) to update 6749.


-- 4.4, 2nd to last paragraph: "The server MUST NOT include the
"code_challenge" value in client requests in a form that other entities
can extract."

should "client requests" be "responses to clients"? (I assume the server
does not send client requests--or do I have the terminology wrong?)

-- 4.4.1, first paragraph:
Please expand PKCE on first mention. (It might help to declare PKCE in
the introduction.)