[OAUTH-WG] AD review of draft-ietf-oauth-jwsreq

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 28 October 2016 15:39 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B060012967D for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 08:39:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Kd3O5OwajcS6 for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 08:39:00 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33C42129658 for <oauth@ietf.org>; Fri, 28 Oct 2016 08:39:00 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id d65so29419290vkg.0 for <oauth@ietf.org>; Fri, 28 Oct 2016 08:39:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=qkuBAIYFHfgU1lq5j29yR8V18NSwqL07g51sMg/GavI=; b=EORxB8N6LhT+V93AvrfR8c7c06PhW3Ux7JcZn2HZAmu8WNR7UzhFW23xMgBORMq0Zu W4zZ0/neTb6fl/43ma2fMYC9FSV6+uwv9OElF4o6agPZSec+o/iy70oY9bAhU7SRxPUC DzQk7R/xCpOUJSGlhah27CYzkazoyhVydsSi55Z8aOsnBdwWwFn0lbQSa+t6WNZoeSTj O+AKUpLgOvSYZRWx38HRcH4QqTBxVbWoAcDgE6PQlaLOdFM4gsYg7aGQgnctMvusENKR ATfW6SHVGjf+6kg1Qe9/yK+GYAokRlodE26hFoTP07Ho1akamrY3x9+SuukLbbrZTV2V VPAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qkuBAIYFHfgU1lq5j29yR8V18NSwqL07g51sMg/GavI=; b=Hw451YNlWhbyimtIBNDZT7IiSm9JKnCpZYp9juvnFJ3r9/3S509xQuWx9IF62RAooL tDgJAlyiOrkKnvLrl4i+OTN0lcadp8gFTbttOIwUaNplbRbMOT75xOCoWhwetrd2QTrE tM5Rm53GyMpo0xXQTzX2eHlFWLyHgXLZMBZIPMcFAS3FoRerMqkLKbcs3aHpNJBz4nUG I3Woko194TauHhgHWmVk5ZbqCMqSeV3dNLZVtgPMDnsFgUsA1nc4CREwrkgc7JHVegxD A+1jcnmaY85XQghnvUTAP03+c7/MOGMKVCgEfcrExuqxolw86wNgWlVrs7CuChm96yeJ yBQg==
X-Gm-Message-State: ABUngveYLSlYiG7/+HTwSJcpXqNtgVmrPTlag1Dl1EJSvfE4HLOHaJFF6pte+qUAbOypxDsOLZcs8RQEI7qapg==
X-Received: by with SMTP id z75mr12904493vkd.41.1477669139010; Fri, 28 Oct 2016 08:38:59 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 28 Oct 2016 08:38:58 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 28 Oct 2016 11:38:58 -0400
Message-ID: <CAHbuEH4Vxdda4yUH932GEZjEiLi1KdYU9_1MLoLAn_AZA=41Yw@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140e662205b77053feea8a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oJZmtbUFzzm0wY8G6MCx1NlP0Mo>
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 15:39:02 -0000


I just reviewed draft-ietf-oauth-jwsreq, and it looks great and seems to be
a nice addition to help with security.  Thanks for your work on it.

I only have a few comments.

The first is just about some wording that is awkward in the TLS section.

What's there now:

Client implementations supporting the Request Object URI method MUST
   support TLS as recommended in Recommendations for Secure Use of
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS) [RFC7525].

How about:

Client implementations supporting the Request Object URI method MUST
   support TLS following Recommendations for Secure Use of
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS) [RFC7525].

Not a major change and just editorial, so take it or leave it.

2. In section 10, the introduction sentence leaves me wondering where the
additional attacks against OAuth 2.0 should also have a pointer in this

   In addition to the all the security considerations discussed in OAuth
   2.0 [RFC6819], the following security considerations should be taken
   into account.

3. Nit: in first line of 10.4:

Although this specification does not require them, researchs


4. I'm sure you'll be asked about the following:

   ISO/IEC 29100
   [ISO29100] is a freely accessible International Standard and its
   Privacy Principles are good to follow.

What about the IETF privacy considerations for protocols, RFC6973, were
they also considered?  I think you are covering what's needed, but no
mention of it and favoring an ISO standard seems odd., using both is fine.

Thank you.

Best regards,