[OAUTH-WG] Second AD Review: draft-ietf-oauth-mtls
Roman Danyliw <rdd@cert.org> Sat, 22 June 2019 18:29 UTC
Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED25E120170 for <oauth@ietfa.amsl.com>; Sat, 22 Jun 2019 11:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IcaBzowwg7nv for <oauth@ietfa.amsl.com>; Sat, 22 Jun 2019 11:28:59 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7EC61200C1 for <oauth@ietf.org>; Sat, 22 Jun 2019 11:28:58 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x5MISvwj031781 for <oauth@ietf.org>; Sat, 22 Jun 2019 14:28:57 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu x5MISvwj031781
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1561228137; bh=5S4KGgb3cEtRPewXf30KbIBFy/4B6211qmEJTnodT1Y=; h=From:To:Subject:Date:From; b=J2g7+9Mm0mZKBn6dulyJsCmKYbymUTROFQPcxt2Ra8JBL7+LtRmj0uHA6EMBSaL0H RxqUc0gvP2kZzcnTfZPNjjCZwgC1pSPqmWnAKdQxeuybspR8nur1h+5rq3P9iB0l7Y /rJk8cWH9DYLO/9YpjwIj9bgpJ+HEo8ALMIdNGA4=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x5MISvjG021381 for <oauth@ietf.org>; Sat, 22 Jun 2019 14:28:57 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0439.000; Sat, 22 Jun 2019 14:28:56 -0400
From: Roman Danyliw <rdd@cert.org>
To: oauth <oauth@ietf.org>
Thread-Topic: Second AD Review: draft-ietf-oauth-mtls
Thread-Index: AdUpJ/vy5dvAfF1OT6Ob3fhIFPK/8w==
Date: Sat, 22 Jun 2019 18:28:56 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B33A25D2@marathon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pvUVPea35ML77sWxIkDDG1llMs4>
Subject: [OAUTH-WG] Second AD Review: draft-ietf-oauth-mtls
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jun 2019 18:29:01 -0000
Hi! I conducted as second AD review of draft-ietf-oauth-mtls per the AD hand-off. I have the following additional feedback: ** Per ekr's earlier review at https://mozphab-ietf.devsvcdev.mozaws.net/D3657, paraphrasing: -- Section 2.1.2, How is these metadata parameters being obtained? -- Section 3.2, Figure 3. In this example, what new information is the auth server providing to the relying party here? ** Section 2.0. What is the expected behavior if the presented certificate doesn't match expected client_id? How is this signaled? ** Section 2.2. Per the sentence "As pre-requisite, the client registers its X.509 certificate ... or a trusted source for its X.509 certificates ... with the authorization server. -- Editorial: s/As pre-requisite/As a prerequisite/ -- What's a "trusted source" in this case? Is that just a jwks_uri? If so, maybe s/a trusted source/a reference to a trust source/. If not, can you please elaborate. A few editorial nits: ** Section 2.2.2. Typo. s/sec 4.7/Section 4.7/ ** Section 3.1 Cite DER encoding as: [X690] ITU-T, "Information Technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, 2015. ** Section 5. Typo. s/metatdata/metadata/ ** Section 6. Typo. s/The the/The/ ** Section 7.2. Typo. s/the the/the/ ** Appendix. Cite the figures numbers (#5 - 7) in the text describing the contents of the section. The shepherd write-up is in good shape. Thank you. Regards, Roman
- [OAUTH-WG] Second AD Review: draft-ietf-oauth-mtls Roman Danyliw
- Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth… Brian Campbell
- Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth… Roman Danyliw
- Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth… Brian Campbell
- Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth… Brian Campbell