[secdir] Secdir review of draft-ietf-oauth-jwt-bcp-04

Radia Perlman <radiaperlman@gmail.com> Sun, 31 March 2019 05:27 UTC

Return-Path: <radiaperlman@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79A212016C; Sat, 30 Mar 2019 22:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cU1u_bA95oSm; Sat, 30 Mar 2019 22:27:36 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C37D3120133; Sat, 30 Mar 2019 22:27:35 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id d18so4008682lfn.3; Sat, 30 Mar 2019 22:27:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=z5DG7a51QWX+so7e7QHZyQtXPPFB+yforpFxgmviSTM=; b=NoKlkpBrQvYY3+U5GbmLAez+qTExcLaSfIanJTUpwtO+4l0v6FT7h+qGuq6MXsqc0j oCfdzjpdrO6Kp3Zfh7OoA4R/RYlobUIRYP95MCBUDPIP4nlTvpwQzjPn0n1p+Ai0/vKE daZUXHbUHoACichI0LQuA5KHgrnpp3bAFkolwIBgEP29WYS6Z+9R/ZfAenQhR8ug8w8P CZY0IfE1ix7pCXIi1qoRxuuf4nFvwtZ1HOyOMWnKJDuneLZyxJq9bCTYsLQ3HtXle9Hc K5CW/VlYGbvEIcTqLe0NAniqgvskG20EBm1bUpX5VfRXZVEDQzlcHpXtK2JJOl+64Qyc 9ZUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=z5DG7a51QWX+so7e7QHZyQtXPPFB+yforpFxgmviSTM=; b=P439fOjZ45dB4aUuns0oyHEQt1F0yKbsB/IErVPM1lzFhGoy1Wvo3g1N32MW6rMh2e JzSLRaBoQZnvVy6ckAKLxZGd6EJ502gWHgQfxRDYXqjTBHeZXt7D73cVdnSxP0lZJM5T CgADVeVoD/8C/ycQ+e1YF3AziHPGcbf2lSEt49B+D55U2fh/PQnWftLVa1vKPAIxE7FW IBR8HP92yclUQD0kXSKQNkOA5+43bVH20bJl55ncDrDbJQugNfYuI+S5+VGsWNAt7zAj 7rbpH4aON4w6v2ybx70KPpQ683PpPVoBHlmJS2lM4IOApCWwZRI5fkJr8OfWDqDgGBJk FQsw==
X-Gm-Message-State: APjAAAXHsSORWmaPTVpXik7tf8RWQgA0yxpd8TMjx/7R0c/jHWbsw3Wd zXk+DLW0QnO9k5NYWPZkNlShi3fBHET6nI7e8GHFQG/fkUg=
X-Google-Smtp-Source: APXvYqxsJI1qFlPl6/hzoiRrYliAqe8RmdTabTntqWTnfy45tGCiKNPbWayE6Y6aBuz+SZvhCaxk5G8hleu/hygrNs8=
X-Received: by 2002:ac2:44a6:: with SMTP id c6mr21228938lfm.31.1554010053845; Sat, 30 Mar 2019 22:27:33 -0700 (PDT)
MIME-Version: 1.0
From: Radia Perlman <radiaperlman@gmail.com>
Date: Sat, 30 Mar 2019 22:27:22 -0700
Message-ID: <CAFOuuo4pZQ_ojPW-i=ni+SgC9aUCvUubH64qrf_=OqtaWCLXbQ@mail.gmail.com>
To: draft-ietf-draft-sheffer-oauth-jwt-bcp.all@ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003ca91c05855d2939"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/42cys4ES8FsBiYXwyzMQXWoug3s>
Subject: [secdir] Secdir review of draft-ietf-oauth-jwt-bcp-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2019 05:27:38 -0000

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.

The summary is READY

This document is a well-written and well-thought-through listing of best
practices for using JSON web tokens.  I could not find any of the advice
that I disagreed with, nor could I think of any more issues that the draft
could have addressed.


Radia