IETF Logo Mail Archive

Re: [secdir] SECDIR review of draft-ietf-oauth-discovery-07

Mike Jones <Michael.Jones@microsoft.com> Fri, 27 October 2017 20:33 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA38813F3F5; Fri, 27 Oct 2017 13:33:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZZhZt3qI9_H; Fri, 27 Oct 2017 13:33:48 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0129.outbound.protection.outlook.com [104.47.41.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C5CD13955E; Fri, 27 Oct 2017 13:33:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dzr8e8AiZO1j7x4oBHzVrk9i5JbwYGEybPvLLIh8jkM=; b=oumO5MTcyapRGxY4FhTh0hizpgSUs1oW6CtPI9JUL03O7JaAS34WhsAcPCr6QF86Rixi3eMxIWxMAKoAs0cufLgUr872TXFKV2uflgbMm4sfoYpnYSJfv9tLGrnBBC4uVwMQ52KXZr6aOAKVGiqNwIdmS15vlSqksSGoG6gOXpw=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0135.namprd21.prod.outlook.com (10.173.189.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.197.0; Fri, 27 Oct 2017 20:33:46 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.20.0197.006; Fri, 27 Oct 2017 20:33:46 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Donald Eastlake <d3e3e3@gmail.com>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-oauth-discovery@ietf.org" <draft-ietf-oauth-discovery@ietf.org>
CC: "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: SECDIR review of draft-ietf-oauth-discovery-07
Thread-Index: AQHTTTl4CbwmVHpMG0aiqTfcAGLFYqL4KzHg
Date: Fri, 27 Oct 2017 20:33:46 +0000
Message-ID: <CY4PR21MB0504DC13A5BDDD0C86E5B300F55A0@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <CAF4+nEFHvwcJ4N=A=cjQC+wN4P9grRGwimHHoSDhCO+m0Xgj3A@mail.gmail.com>
In-Reply-To: <CAF4+nEFHvwcJ4N=A=cjQC+wN4P9grRGwimHHoSDhCO+m0Xgj3A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-10-27T13:33:44.9766311-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:8::36]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0135; 6:rkSYGCAb8nrj20t1dJPIluwIfDF1gvc1KG6D5jCItu+V1IvDhCKLRQYJoLPwgPnplGvEgqrtcH71+IlhWsT4bPRxsqsOCLwde9tmb0+At0BhQEb9V3Fx1z7Q6tptRP6mYmBLWA5GaMZ5lfvS4FIbsGS0HuCfqGhooulgwwJrOXd13E06CwO1TzXGyBsTSNY9mzH6fIXhWEBhHOeS1NUo6+Ekyp0YoGtav8FRqQhdsklza6xqI0MRmPasU7DvFJdfDha/UGRb8EtBHcCBE6x5qPQLP9GoA6h4P3jmBZDP5zvCzpquy5m432VaPnJDT23eqZlGwFaxdXzao02b12fj48GA08aDZRd2D1MUodKhO48=; 5:sHFFccTeq0pSl67KX3JqpZVVXXPiOEev7RFSZSjve1inUGhdTvAQnPJcoik8VK4SCsdWvXSQgaBkTGxfSSZYJqAwkoZZ1z2+apkT79BFouxQNiUTAZ2yniYpVAFA1xPA9qLe/fAOUvzlMCyEGbbbYPAXcR9sVWptQOV7ZYKnK7g=; 24:2X+4qlLf+ArNfgf93NeOny7M0enA+swC/XWeQEuYDfPDKGmgwdBpY80XrGfPTqnsaYuzKxPXgMqPtTtg+Z/5RbJIWcLrmBuSOcZ6/HtbX7Q=; 7:ixKLLKNJtPjjjzmgw5NTv2Dj11t+kgf1jiP1r5TqDHLjwbGbtTrB9UETxShE48z6peutosdAP8XgbL/hX+e6nNVmn55SmwuNnqk2P5khxUa1uGqdLjKbZ4r5dqosbXgcD7kyfq4ETB5fBLH5krxnjgrby+13uEAfA/mgDPZ4WozlpLC/4u5LUfUvQ+X6zHV8Pwx0ezWGwHU0ziVPbpaJur/JgDNvqGgzo8iJHGus19+YUxQpBF3pT9EhaQgGdgVf
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 1345ac3e-924d-4e84-df39-08d51d7a05db
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(2017052603238); SRVR:CY4PR21MB0135;
x-ms-traffictypediagnostic: CY4PR21MB0135:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(35073007944872)(21748063052155);
x-microsoft-antispam-prvs: <CY4PR21MB01350DA931FB374226AEC542F55A0@CY4PR21MB0135.namprd21.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(3231020)(100000703101)(100105400095)(6055026)(61426038)(61427038)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123562025)(20161123560025)(20161123558100)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0135; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0135;
x-forefront-prvs: 0473A03F3F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(346002)(47760400005)(199003)(30594003)(189002)(86612001)(86362001)(5660300001)(68736007)(2501003)(53546010)(8676002)(189998001)(3280700002)(2900100001)(6436002)(4326008)(3660700001)(2906002)(7736002)(72206003)(81156014)(6506006)(77096006)(81166006)(316002)(10290500003)(106356001)(74316002)(478600001)(14454004)(54896002)(6306002)(6246003)(25786009)(102836003)(19609705001)(229853002)(2950100002)(76176999)(50986999)(54356999)(39060400002)(6116002)(7696004)(790700001)(110136005)(8990500004)(33656002)(105586002)(22452003)(97736004)(53936002)(8936002)(55016002)(10090500001)(2201001)(236005)(230783001)(9686003)(101416001)(99286003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0135; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504DC13A5BDDD0C86E5B300F55A0CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1345ac3e-924d-4e84-df39-08d51d7a05db
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2017 20:33:46.3223 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0135
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/0uiteElkiALP9U9RT98tVPYfSyo>
Subject: Re: [secdir] SECDIR review of draft-ietf-oauth-discovery-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 20:33:51 -0000

Thanks, Donald.  I’ll do the update to 8126 in the next draft.

                                                                -- Mike

From: Donald Eastlake [mailto:d3e3e3@gmail.com]
Sent: Tuesday, October 24, 2017 7:32 PM
To: iesg@ietf.org; draft-ietf-oauth-discovery@ietf.org
Cc: secdir@ietf.org
Subject: SECDIR review of draft-ietf-oauth-discovery-07

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is draft is ready with one nit.

This draft defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.

While I am not deeply familiar with this area of security technology, the extensive Security Considerations section seems thorough and correct as far as I can see.

Nit: The reference to RFC 5226 should probably be updated to RFC 8126

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270<tel:(508)%20333-2270> (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com<mailto:d3e3e3@gmail.com>

v2.23.0 | Report a Bug | By Email