[OAUTH-WG] Review of draft-ietf-oauth-v2-http-mac-01
"Richard L. Barnes" <rbarnes@bbn.com> Sat, 31 March 2012 00:30 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A874121F8616 for <oauth@ietfa.amsl.com>; Fri, 30 Mar 2012 17:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.552
X-Spam-Level:
X-Spam-Status: No, score=-106.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rBNsCLWmfzCq for <oauth@ietfa.amsl.com>; Fri, 30 Mar 2012 17:30:41 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 248E121F8618 for <oauth@ietf.org>; Fri, 30 Mar 2012 17:30:41 -0700 (PDT)
Received: from [128.89.255.57] (port=63625 helo=neutrino.local) by smtp.bbn.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1SDmD1-0006wf-PA for oauth@ietf.org; Fri, 30 Mar 2012 20:30:23 -0400
Message-ID: <4F76502C.5040409@bbn.com>
Date: Sat, 31 Mar 2012 02:30:36 +0200
From: "Richard L. Barnes" <rbarnes@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] Review of draft-ietf-oauth-v2-http-mac-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Mar 2012 00:30:41 -0000
As promised in the OAuth meeting at IETF 83, I have don a review of draft-ietf-oauth-v2-http-mac-01. I have sent detailed comments to the authors, which are summarized below. This document is in pretty good shape. The definition of the authentication scheme itself, and the OAuth mechanism for distributing MAC parameters, both seem clearly specified and easy to implement. Modulo some minor comments, for example: The current normalized request seems to protect GET query parameters and not POST; this should either be corrected or noted. The main area where I would like to see more work on this document is around operational considerations. What parameters do servers need to maintain in order to manage timestamps and nonces? How do they decide when they can forget nonces? Thanks to the authors for their good work on this. Looking forward to seeing the next version. --Richard
- [OAUTH-WG] Review of draft-ietf-oauth-v2-http-mac… Richard L. Barnes