Re: [OAUTH-WG] Stephen Farrell's No Objection on draft-ietf-oauth-proof-of-possession-10: (with COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Thu, 17 December 2015 15:02 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C13751B2E85; Thu, 17 Dec 2015 07:02:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSJ4HUaoepGM; Thu, 17 Dec 2015 07:02:11 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0112.outbound.protection.outlook.com [207.46.100.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A16DE1B2E78; Thu, 17 Dec 2015 07:02:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yuDKgmfV3AgWIYTLAnHFx2rWR6Ze45V6ncduXO1Pq9w=; b=gJQ4fyCxmazMyDAFf1qrfiyi5FGhIcq4SXl5DQlgUfwKTrZ+etFGh5uc8aMy6Um5sVGBPjVDou2b/W/fGy7G7zaICEsh59UgGjHWM0xv4PnFIWYhPoVi3fhzVtb9diQfyNOMmD6+Ns52ONpWA5WGBDoTI4LcTCHQyG+e1ATNu5M=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.355.16; Thu, 17 Dec 2015 15:02:10 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0355.012; Thu, 17 Dec 2015 15:02:10 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's No Objection on draft-ietf-oauth-proof-of-possession-10: (with COMMENT)
Thread-Index: AQHROMBqUlUD/WQSuESV2w18wq8t6Z7PRCQg
Date: Thu, 17 Dec 2015 15:02:10 +0000
Message-ID: <BY2PR03MB442C3ED922A3486C37BDFB0F5E00@BY2PR03MB442.namprd03.prod.outlook.com>
References: <20151217114518.32317.77951.idtracker@ietfa.amsl.com>
In-Reply-To: <20151217114518.32317.77951.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [93.216.71.75]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:YGrr2U/6o2+R+1dFnvG9jcLnhlB+M4obi6WnFl28VCsfA9dOatFcQqfdyk4YVnu3glHVy6cg2Wpvx7PPlsuJZjOr4t29J8gkwjFm2D4sWBWYb4KcqJIE6VWetU+drVJPZBpW5al/Y15zIOdMLJEy6A==; 24:jpuPNv6yrxhbxfAuIBfQrvr7SUfcHNjLO/vY04Q0A/hCV4agZlUg9gGl/4ro2BgzEluA1lHbJzfXxD6cV3/ROHolg7m8c7M4NtWoAAHffOM=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442;
x-microsoft-antispam-prvs: <BY2PR03MB442CFE1EDA786DCA130928FF5E00@BY2PR03MB442.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(520078)(10201501046)(3002001)(61426038)(61427038); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442;
x-forefront-prvs: 07935ACF08
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(199003)(52604005)(13464003)(52044002)(377454003)(97736004)(5001770100001)(5001960100002)(5002640100001)(189998001)(5003600100002)(11100500001)(106356001)(81156007)(6116002)(3846002)(54356999)(1096002)(102836003)(50986999)(76176999)(1220700001)(106116001)(76576001)(74316001)(5004730100002)(230783001)(10090500001)(105586002)(99286002)(10400500002)(8990500004)(10290500002)(5005710100001)(86612001)(66066001)(86362001)(87936001)(101416001)(19580405001)(19580395003)(15975445007)(77096005)(586003)(2900100001)(5008740100001)(33656002)(2950100001)(122556002)(92566002)(40100003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2015 15:02:10.1208 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/b2YldgcJgVv-numf-HWCGuEtZM8>
Cc: "oauth@ietf.org" <oauth@ietf.org>, "draft-ietf-oauth-proof-of-possession@ietf.org" <draft-ietf-oauth-proof-of-possession@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's No Objection on draft-ietf-oauth-proof-of-possession-10: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 15:02:15 -0000
Thanks for your review, Stephen. Replies inline below... > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Thursday, December 17, 2015 12:45 PM > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-oauth-proof-of-possession@ietf.org; oauth-chairs@ietf.org; > kepeng.lkp@alibaba-inc.com; oauth@ietf.org > Subject: Stephen Farrell's No Objection on draft-ietf-oauth-proof-of- > possession-10: (with COMMENT) > > Stephen Farrell has entered the following ballot position for > draft-ietf-oauth-proof-of-possession-10: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > - Figure 1 and the discussion thereof: you talk all the time here about "a > symmetric key" so I think you ought add a footnote like bit of text that says > something like "note that there ought be more than one key involved here, > derived from the key exchanged at (0) via a KDF." I kinda wish that all that > had been covered in one document but I guess that's part of the PoP arch > doc, which is for later. Sounds good > - 3.1 says "outside the scope of this specification": just wondering - does that > phrase occur in all OAuth RFCs? (only kidding, honest:-) ;-) > - section 4, para 2: replay can also be avoided if a sub-key is derived from a > shared secret that is specific to the instance of the PoP demonstration. Good - will add > - section 6: DE guidance - I think we ought tell the DEs that the specification > of a new thing needs to explicitly describe the security properties of using the > new thing. OK > - I didn't see a response to the secdir review [1] but that was maybe sent to > the wrong places. > > [1] https://www.ietf.org/mail-archive/web/secdir/current/msg06266.html Thanks for pointing this out. My mail system had helpfully sorted this note in to my Clutter folder. :-/ I'll send a reply shortly. -- Mike
- [OAUTH-WG] Stephen Farrell's No Objection on draf… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's No Objection on … Mike Jones