[secdir] SECDIR review of draft-ietf-oauth-native-apps-11
Donald Eastlake <d3e3e3@gmail.com> Wed, 24 May 2017 02:40 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB011286D6; Tue, 23 May 2017 19:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.551
X-Spam-Level:
X-Spam-Status: No, score=-0.551 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7broaKFVaqt; Tue, 23 May 2017 19:40:35 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56C4C126CC4; Tue, 23 May 2017 19:40:35 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id k91so109451717ioi.1; Tue, 23 May 2017 19:40:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=OeQGzEgFI8rVyuAwgx88UqSr7uiXur1CMCO83xQ3fUg=; b=PCRnY7h2FO3oOYW1H5s4ELiYAyWkNBE9DEzg741MpfjF6La6ZFq6d93lDG5v4Vc083 cVcY/bRFFafbmIjIgGIttN8nehLLUYsxbqM8YMvYX0lHxiAyT8pEgNKXmUc4EH0qa1mx ABLEgCRN7VPqh8bYHiCOB2x1LSoSWIngSe5/dqWIou3sZ+UKuTOZOJMCkrckIybXBlV3 LjHaDhTQiTi6Ln2UnEFPgg/GaXr6IHOvPLqtQB9FAwoKCxOfUa3C76OAEBe7liQCSdFu CvjehbqdPRIYaNCuDZrJhBXDpWUiR82+V/lnEXUVQK06NYWc9aBHOS4BuiJL5Y4B4uM4 Im6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=OeQGzEgFI8rVyuAwgx88UqSr7uiXur1CMCO83xQ3fUg=; b=q+zfLM144Y7LNTbsxq9Lhpj4jg8DmRAhG77cQc0naBL5/5lofFOkxGXf6kFiMfHf0P l6OfjPqpSel99AVYz13S/M665gxyKzcj5/NWo1OPd/VEmAX8lh2rJKedFm41H1/Fz4zx BazHX1IaoleA9JHUnuA2QbPznpxoH4HYnHz9BFMuuAF8NpvDFV8ytNwk3ly1BBH0fRAn zO+h5JuyIhQhlpXExGWVsPxzUVAI2dZMWT/y0z2olzJlma2VUpoUAOUbo9Nm9bJgkhdL G7jfxJZFHEHrcgiiga4BlPVXcsEbHcG06PrWuTmIocUGMuthZjm9D0otQ6ikiaxJxDPS 2ADg==
X-Gm-Message-State: AODbwcAEIoZhQYZBiF5Hv7ipTH1dcRFceDEiBg7vBcltWnMEADy5IkyX t2CIrTAcEpYaYw+X6Fn35uPnBgDIOQ==
X-Received: by 10.107.161.206 with SMTP id k197mr10748535ioe.141.1495593634692; Tue, 23 May 2017 19:40:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.134.208 with HTTP; Tue, 23 May 2017 19:40:19 -0700 (PDT)
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 23 May 2017 22:40:19 -0400
Message-ID: <CAF4+nEFzV2XuJ2phRWoV9gJPpWjJTGMYLoJrAxXrTcn2ozSoEg@mail.gmail.com>
To: "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-oauth-native-apps.all@ietf.org
Cc: "secdir@ietf.org" <secdir@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1D_wgvVbnxxvW_ceqiiHz0YrHrk>
Subject: [secdir] SECDIR review of draft-ietf-oauth-native-apps-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 02:40:37 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The primary goal of this BCP draft is to specify that OAuth 2.0 authorization requests from native apps should only be made through external user agents, primarily the user's browser, as opposed to an embedded user-agent. Security Considerations This BCP is all at quite a high level. It talks about interprocess and world wide web interactions to effectuate OAuth 2.0, mechanisms with which I am not too familiar. But, all mechanism details are in other documents.. The recommendations seem reasonable and the beginning of the Security Considerations section paints a somewhat dismal security picture compared with that typical of cryptographic or protocol security. As best I can tell, it is ready with trivial nits as listed below. Minor SSO is used multiple times but never expanded. Trivial English Improvements Page 13, Section 8.8 "for native apps to include" -> "that native apps include" Page , Appendix B "in an generic manner" -> "in a generic manner" Page 19, Appendix B.4, 2nd paragraph Last word of first line and first word of second line are duplicates. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com
- [secdir] SECDIR review of draft-ietf-oauth-native… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-oauth-na… William Denniss