[OAUTH-WG] AD review of draft-ietf-oauth-bearer-13
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 02 November 2011 16:45 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60B9421F8F18 for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 09:45:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level:
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljC0Hrw57VO4 for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 09:45:45 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 4618521F8EE1 for <oauth@ietf.org>; Wed, 2 Nov 2011 09:45:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 37C25153D3A for <oauth@ietf.org>; Wed, 2 Nov 2011 16:45:32 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1320252331; bh=CMB3+/eCY6BgRc5JU2d1s/29 vJA73FVCPZVtInvfFM8=; b=A5VwfmQ0TaCSVhM0nAGoy/13Vsqlw2e96FC3nsj/ 4zQ1sW1M82w1YfoG+VmQwZq2eyaq0N0mp96K97+758RY6WZlVN/KtOcujGZMsZ6q xUkOkumBbgUTaoFht036A5HhbXDTRRs8MRUWx0JVLUh/eJSgI5Qa2scA9FzcL2mt 2mXXuOs35/hOmG+RtDjCwJX+vQ6BrnGwV7p33glSbPltROR0wjuTrFxsutHu5n2c ce+ktM8OZTH9huxHY21LidU4w8IiJSqJg860HRyHbu8Q7q5hdYBj+ZTEz0fU4vc1 tS2LBEv7OqzVtPkc0w+HfmfXU7U/u5lybWaG5O5fhtYwVQ==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id Z0GVXKUACw+t for <oauth@ietf.org>; Wed, 2 Nov 2011 16:45:31 +0000 (GMT)
Received: from [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c] (unknown [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id ADEDB153D39 for <oauth@ietf.org>; Wed, 2 Nov 2011 16:45:31 +0000 (GMT)
Message-ID: <4EB173A1.6040209@cs.tcd.ie>
Date: Wed, 02 Nov 2011 16:45:21 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-bearer-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 16:45:46 -0000
Hi, Good work - another one almost out the door! Thanks. However, I think this one needs a revised ID before we start IETF LC. Nothing hard to change I hope, but I think there are enough changes to make that its best done that way. I reckon items 3,5,7-11 and 13 below need fixing, but are I hope all easy. Not sure about item 4. All my other comments can be considered in conjunction with whatever other IETF LC comments we get, or now, whichever. If you want to argue that the WG already had strong consensus against a change I'm asking for, or that I'm just being dumb, (which happens all the time:-) then please do that and we can discuss it on the list and/or at the meeting. Regards, Stephen. questions/comments: 1) What does the 1st sentence of section 2 mean? What is the 2119 MAY for? Couldn't that sentence be deleted? If not, why not? 2) I think you should warn implementers in 2.3 that using the query string is fairly likely to result in the access token being logged, which is highly undesirable. (That is there later too, but I think deserves to be here.) What does "the only feasible method" mean? I think that needs to be defined, as was done in 2.2. 3) Where's it say what to do with a scope attribute presented by a server? 4) What is the realm attribute in section 3? What is a client expected to do with that? I guess it has to be different from how realm is used with e.g. Basic. (That might be my ignorance of HTTP details though;-) 5) Section 3 ABNF allows "realm=foo;realm=bar;scope=baz;error=123" is that ok? Is processing clear for all cases? I don't think it is. 6) 3.1, invalid_token - the client MAY retry, SHOULD it do that in an infinite loop? Probably not;-) 7) "Assuming" token integrity protection is wrong. You need to make it a MUST. That is, you need to say that resource servers MUST only accept tokens with strong integrity or similar. 8) I think you need to say that TLS is MTI and MUST be used, (i.e. with 2119 language) and it'd be better to put that in the introduction as well as 4.2. 9) As-is 4.2 allows anonymous D-H TLS ciphersuites. I don't think you want that, but yet you only call for ciphersuites that "offer confidentiality." I think that needs to be tightened up. 4.3 does tighten there, but I think 4.2's language also needs fixing. 10) The token validity doesn't have to be "inside." I could e.g. change a token MAC verification key every hour and limit lifetime that way. 11) Two paragraphs in 4.2 contradict one another. 3rd last para say you MUST use TLS, 2nd last para says you MUST have confidentiality "for instance...TLS." I'd ditch the second one I think, but something needs fixing. 12) Why reference 2818 instead of 6125? 13) I think you need to say something here about load balancers and other server side things that terminate TLS, before the resource server and behind which bearer tokens are unprotected. At least say that tokens MUST be protected there and provide guidance as to how to do that well. Lots of people do that badly I think. (At least at first;-) 14) Why are cookies first mentioned in 4.3? Seems like that should have been done earlier. nits: abstract: maybe s/granted resources/the associated resources/? abstract: s/the bearer token needs to/bearer tokens need to/? 1.2: s/abstraction layer/abstraction/ I don't see any layer there 2.1: I (and others) dislike the use of the reference as if it were part of the sentence, e.g. "defined by [I-D.whatever],..." Better would be "defined as part of HTTP authentication [I-D.whatever]" There are multiple occurrences of this. 2.1: s/follows/as follows/ 2.1, last para: I think the SHOULD in the last para of 2.1 and the corresponding rules in 2.2 & 2.3 would be better stated up front. end of p7, s/attribute MUST NOT/attributes MUST NOT/ 4.2, s/recommended/RECOMMENDED/ is better but they mean the same already!
- [OAUTH-WG] AD review of draft-ietf-oauth-bearer-13 Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-bear… Julian Reschke
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-bear… Manger, James H
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-bear… Julian Reschke
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-bear… Mike Jones