Re: [OAUTH-WG] Review comments to PoP Architecture
Phil Hunt <phil.hunt@oracle.com> Sat, 19 September 2015 19:32 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7141B2BF7 for <oauth@ietfa.amsl.com>; Sat, 19 Sep 2015 12:32:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UPY4uxkvgGxh for <oauth@ietfa.amsl.com>; Sat, 19 Sep 2015 12:32:43 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D4311B2BC7 for <oauth@ietf.org>; Sat, 19 Sep 2015 12:32:42 -0700 (PDT)
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t8JJWZF2023240 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 19 Sep 2015 19:32:37 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t8JJWZWc002662 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 19 Sep 2015 19:32:35 GMT
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id t8JJWZQr004124; Sat, 19 Sep 2015 19:32:35 GMT
Received: from [192.168.1.27] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 19 Sep 2015 12:32:34 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail-A1C03494-8990-4F12-BDFA-67C4630DDA90"
Mime-Version: 1.0 (1.0)
From: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (12H321)
In-Reply-To: <D223A7DD.1D140%kepeng.lkp@alibaba-inc.com>
Date: Sat, 19 Sep 2015 12:32:32 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <1975D47A-6BD2-40EE-BA24-FB8C7EB10631@oracle.com>
References: <D223A7DD.1D140%kepeng.lkp@alibaba-inc.com>
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/kXzs-Ho0J15DWabtp5MLSlTUccY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review comments to PoP Architecture
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2015 19:32:46 -0000
Thanks Kepeng for the review. I will respond next week. Cheers, Phil > On Sep 19, 2015, at 09:02, Kepeng Li <kepeng.lkp@alibaba-inc.com> wrote: > > Additional comments: > > 6. Section 4: > 1) An attacker may generate a bogus tokens … > [Kepeng] Change “tokens” to “token”. > > 2) A client may also re-use access tokens for some other resource servers. > [Kepeng] Change “re-use” to “reuse”. The pragraph title says “reuse”. Also in other places. > > 3) To illustrate key confirmation the first examples borrow from Kerberos and use symmetric key cryptography. > [Kepeng] Change “the first examples borrow” to “the first example is borrowed”. > > 7. Section 5.4 > 1) As a high level message, there are various ways how the threats can be mitigated and while the details of each solution is somewhat different they all ultimately accomplish the goal. > [Kepeng] Change the last sentence to: the details of each solution are somewhat different even they all can ultimately accomplish the goal. > > 2) Depending on the chosen layer for providing client-side authentication there may be additional challenges due Web server load balancing, lack of API access to identity information, etc. > [Kepeng] Change “due” to “due to”. > > 8. Section 6: > [Kepeng] It will be better if we can divide this section into several sub-sections, e.g. each sub-section can be related to each figure. > > 9. Section 7: > 1) [Kepeng] Usually the order for a specification is: use cases, requirements, then architecture. Why do we have requirements after architecture? Should we move this section ahead? > > 2) The authorization checking prevents an elevation of privilege attack, and it ensures that an unauthorized authorized is detected. > [Kepeng] What is “an unauthorized authorized”? Should it be “an unauthorized access”? > > Kind Regards > Kepeng > > 发件人: Li Kepeng <kepeng.lkp@alibaba-inc.com> > 日期: Saturday, 19 September, 2015 12:55 am > 至: <oauth@ietf.org> > 主题: [OAUTH-WG] Review comments to PoP Architecture > > Hello authors, > > Please find my review comments to PoP Architecture document: > https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-02 > > 1. Introduction: > At the time of writing the OAuth 2.0 protocol family ([RFC6749], [RFC6750], and [RFC6819]) offer a single standardized security mechanism to access protected resources, namely the bearer token. > [Kepeng] This sentences seem to be incomplete. What offers a security mechanism? Also why do we mention “at the time of writing”? Is the situation changed now? > > 2. Section 3: > The main use case that motivates better-than-bearer token security is the desire of resource servers to obtain additional assurance that the client is indeed authorized to present an access token. > [Kepeng] About “better-than-bear”, is it a word? Maybe reword the sentence a little bit. > > 3.Section 3.1 > 1) In a legitimate use case consider chaining of computations whereby a resource server needs to consult other third party resource servers to complete the requested operation. > [Kepeng] This sentence seems to be incomplete. Maybe reword it a little bit? > > 2) In this use case additional information is conveyed to the resource server to ensure that no entity entity has tampered with the TLS connection. > [Kepeng] Change “is conveyed” to “should be conveyed”? > > 4. Section 3.3: > First, an eavesdropper may steal an access token and represent it at a different resource server. > [Kepeng] Change “represent it at” to “present it to”? > > 5. Section 3.4: > These load balancers may terminate the TLS connection setup and HTTP traffic is transmitted in the clear from the load balancer to the resource server. > [Kepeng] Don’t understand “in the clear”. Should it be “in the wire”? > > Kind Regards > Kepeng > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Review comments to PoP Architecture Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP Architecture Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP Architecture Phil Hunt
- Re: [OAUTH-WG] Review comments to PoP Architecture Phil Hunt
- Re: [OAUTH-WG] Review comments to PoP Architecture Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP Architecture Phil Hunt