[OAUTH-WG] Secdir last call review of draft-ietf-oauth-access-token-jwt-11

Joseph Salowey via Datatracker <noreply@ietf.org> Sun, 07 February 2021 18:48 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id DE6EE3A11D6; Sun, 7 Feb 2021 10:48:19 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Joseph Salowey via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-oauth-access-token-jwt.all@ietf.org, last-call@ietf.org, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.25.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <161272369978.20616.15063633580755015902@ietfa.amsl.com>
Reply-To: Joseph Salowey <joe@salowey.net>
Date: Sun, 07 Feb 2021 10:48:19 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qyT1dS0m0s4uSagUipJxEV34GYI>
Subject: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-access-token-jwt-11
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2021 18:48:20 -0000

Reviewer: Joseph Salowey
Review result: Has Issues

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is the document has issues.

1.  (Editorial) What is the relationship between this document and RFC 7523. 
They are using JWT for different purposes, but I think it would be useful to
clarify this in the introduction.

2.  (Issue) The specification does not specify any mandatory to implement for
the recommended asymmetric algorithms.  This will not help interop.  Perhaps
specify one or both of  "RS256" and "ES256".

3. (Question) Is it currently possible to use the JWT access token in a mode
other than a bearer token?  For example is there a way to bind the JWT to a
verifiable key or identifier.  If there is, there should be some discussion of
this in the security considerations.  If not, do the authors know if there is
any work planned in this area?

4. Genart review pointed out a nit that should be fixed.