[OAUTH-WG] AD Review of draft-ietf-oauth-spop-10

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sat, 18 April 2015 15:39 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F06A71A6F10 for <oauth@ietfa.amsl.com>; Sat, 18 Apr 2015 08:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0s6vk5VVLo1 for <oauth@ietfa.amsl.com>; Sat, 18 Apr 2015 08:39:31 -0700 (PDT)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F0091A00C8 for <oauth@ietf.org>; Sat, 18 Apr 2015 08:39:31 -0700 (PDT)
Received: by lbbzk7 with SMTP id zk7so102826763lbb.0 for <oauth@ietf.org>; Sat, 18 Apr 2015 08:39:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=HR/YhY5Uc2kHvf4+F4MrPxus1S2Z8IyNVPdAluKpC0k=; b=tjRZWe/TmHQTmL6OWCT1XkGeFCdlqxpSrd+bjZCBvXQKXaB1BSvurRDEM6XBtgnDtd vtJXLdSPHJ+rWRAsOVNfzRcOgAYBbjhGnNCehrC+s08E0JNP5318gmKeTgPJpfJVOppr kus7j+OGNvEcb3Er0MpdhiKVVmPN3FSEDB1Vvk3s/5tOuzgyvfTCbkwCrWeSI5gi8fOs lakmY/NNu+WGhI12dF62elx61XH7cFOCTVkpXcdhS+7ANM1SOG4x4xRWE57jbbJ8O6oU 74j/PAradQKS2e3XS3jH7Gj6+L1poG5x0fdG+G0gSKlFEcGtqL2uWDMAqIL+lvxJD5Oq dWkw==
MIME-Version: 1.0
X-Received: by 10.152.178.197 with SMTP id da5mr8970904lac.56.1429371569604; Sat, 18 Apr 2015 08:39:29 -0700 (PDT)
Received: by 10.112.11.199 with HTTP; Sat, 18 Apr 2015 08:39:29 -0700 (PDT)
Date: Sat, 18 Apr 2015 11:39:29 -0400
Message-ID: <CAHbuEH4rOsD-TXbL9_+6HrK3_tpoPrfKVLqcJ4f0k1nFCFunMQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a11340c68a88f3c051401801c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/N-HSQPSagCYnNN8nftK0T8HDFi0>
Subject: [OAUTH-WG] AD Review of draft-ietf-oauth-spop-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Apr 2015 15:39:33 -0000

Hello,

I just reviewed draft-ietf-oauth-spop-10 and am thinking more should be
said about TLS 1.2 in the security recommendations.  I see that it is
recommended through RFC6819 that just says:

 Attacks can be mitigated by using transport-layer mechanisms such as
   TLS [RFC5246].  A virtual private network (VPN), e.g., based on IPsec
   VPNs [RFC4301], may be considered as well.


And more has been said in recent publications.  Since this particular draft
is addressing a threat exposed when TLS is not in use, the language from
the last draft would be better, requiring at least TLS 1.2 and referring to
the TLS BCP.

The only other point from my review is a nit:
At the end of section 4.4, there should be quotes around both instances of
"plain".

Once this has been addressed, we can start IETF last call.

Thank you!
-- 

Best regards,
Kathleen