[OAUTH-WG] AD review of draft-ietf-oauth-jwsreq
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 28 October 2016 15:39 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B060012967D for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 08:39:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kd3O5OwajcS6 for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 08:39:00 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33C42129658 for <oauth@ietf.org>; Fri, 28 Oct 2016 08:39:00 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id d65so29419290vkg.0 for <oauth@ietf.org>; Fri, 28 Oct 2016 08:39:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=qkuBAIYFHfgU1lq5j29yR8V18NSwqL07g51sMg/GavI=; b=EORxB8N6LhT+V93AvrfR8c7c06PhW3Ux7JcZn2HZAmu8WNR7UzhFW23xMgBORMq0Zu W4zZ0/neTb6fl/43ma2fMYC9FSV6+uwv9OElF4o6agPZSec+o/iy70oY9bAhU7SRxPUC DzQk7R/xCpOUJSGlhah27CYzkazoyhVydsSi55Z8aOsnBdwWwFn0lbQSa+t6WNZoeSTj O+AKUpLgOvSYZRWx38HRcH4QqTBxVbWoAcDgE6PQlaLOdFM4gsYg7aGQgnctMvusENKR ATfW6SHVGjf+6kg1Qe9/yK+GYAokRlodE26hFoTP07Ho1akamrY3x9+SuukLbbrZTV2V VPAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qkuBAIYFHfgU1lq5j29yR8V18NSwqL07g51sMg/GavI=; b=Hw451YNlWhbyimtIBNDZT7IiSm9JKnCpZYp9juvnFJ3r9/3S509xQuWx9IF62RAooL tDgJAlyiOrkKnvLrl4i+OTN0lcadp8gFTbttOIwUaNplbRbMOT75xOCoWhwetrd2QTrE tM5Rm53GyMpo0xXQTzX2eHlFWLyHgXLZMBZIPMcFAS3FoRerMqkLKbcs3aHpNJBz4nUG I3Woko194TauHhgHWmVk5ZbqCMqSeV3dNLZVtgPMDnsFgUsA1nc4CREwrkgc7JHVegxD A+1jcnmaY85XQghnvUTAP03+c7/MOGMKVCgEfcrExuqxolw86wNgWlVrs7CuChm96yeJ yBQg==
X-Gm-Message-State: ABUngveYLSlYiG7/+HTwSJcpXqNtgVmrPTlag1Dl1EJSvfE4HLOHaJFF6pte+qUAbOypxDsOLZcs8RQEI7qapg==
X-Received: by 10.31.151.78 with SMTP id z75mr12904493vkd.41.1477669139010; Fri, 28 Oct 2016 08:38:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.82.143 with HTTP; Fri, 28 Oct 2016 08:38:58 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 28 Oct 2016 11:38:58 -0400
Message-ID: <CAHbuEH4Vxdda4yUH932GEZjEiLi1KdYU9_1MLoLAn_AZA=41Yw@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140e662205b77053feea8a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oJZmtbUFzzm0wY8G6MCx1NlP0Mo>
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 15:39:02 -0000
Hello, I just reviewed draft-ietf-oauth-jwsreq, and it looks great and seems to be a nice addition to help with security. Thanks for your work on it. I only have a few comments. The first is just about some wording that is awkward in the TLS section. What's there now: Client implementations supporting the Request Object URI method MUST support TLS as recommended in Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) [RFC7525]. How about: Client implementations supporting the Request Object URI method MUST support TLS following Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) [RFC7525]. Not a major change and just editorial, so take it or leave it. 2. In section 10, the introduction sentence leaves me wondering where the additional attacks against OAuth 2.0 should also have a pointer in this sentence: In addition to the all the security considerations discussed in OAuth 2.0 [RFC6819], the following security considerations should be taken into account. 3. Nit: in first line of 10.4: Although this specification does not require them, researchs s/researchs/researchers/ 4. I'm sure you'll be asked about the following: ISO/IEC 29100 [ISO29100] is a freely accessible International Standard and its Privacy Principles are good to follow. What about the IETF privacy considerations for protocols, RFC6973, were they also considered? I think you are covering what's needed, but no mention of it and favoring an ISO standard seems odd., using both is fine. Thank you. -- Best regards, Kathleen
- [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq Kathleen Moriarty
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Nat Sakimura
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Kathleen Moriarty
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Denis
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Nat Sakimura
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… John Bradley
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Nat Sakimura
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Benjamin Kaduk
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Denis
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Kathleen Moriarty