[OAUTH-WG] Joel Jaeggli's No Objection on draft-ietf-oauth-spop-12: (with COMMENT)

"Joel Jaeggli" <joelja@bogus.com> Wed, 10 June 2015 02:40 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 497E91A00B7; Tue, 9 Jun 2015 19:40:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kNepH5k4mR71; Tue, 9 Jun 2015 19:40:08 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D282A1A0097; Tue, 9 Jun 2015 19:40:08 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Joel Jaeggli" <joelja@bogus.com>
To: "The IESG" <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150610024008.30330.79118.idtracker@ietfa.amsl.com>
Date: Tue, 09 Jun 2015 19:40:08 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/RBV_Ur2Cj78UvSaqaMUZL6BVbiw>
Cc: draft-ietf-oauth-spop@ietf.org, oauth-chairs@ietf.org, draft-ietf-oauth-spop.shepherd@ietf.org, oauth@ietf.org, draft-ietf-oauth-spop.ad@ietf.org
Subject: [OAUTH-WG] Joel Jaeggli's No Objection on draft-ietf-oauth-spop-12: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2015 02:40:10 -0000

Joel Jaeggli has entered the following ballot position for
draft-ietf-oauth-spop-12: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

>From Melinda Shore's OPSdir review:

I have reviewed this document as part of the Operational directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These  comments were written with the intent of improving the
operational aspects of the  IETF drafts. Comments that are not
addressed in last call may be included in AD reviews
during the IESG review.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary:

This document is ready, with very minor issues.  It does not appear to
introduce new management/manageability considerations.

This document describes a challenge-response mechanism to protect
against an OAuth authorization code being intercepted by an attacker,
when that authorization code is sent in the clear.  The authorization
code is used to acquire an access token and must be protected.  This
attack (an attacker using an intercepted authz code to acquire an
access token) has been observed in the wild.

We are astonished to learn that OAuth is being run over an
unencrypted channel.

However, given that it is, this is a reasonable defense mechanism.

Questions:

Why is S256 RECOMMENDED and not a MUST?

Nits:

ASCII(STRING) does not appear to be used in the protocol grammar?

Melinda