[secdir] secdir review of draft-ietf-oauth-v2-23
Leif Johansson <leifj@sunet.se> Sun, 26 February 2012 20:43 UTC
Return-Path: <leifj@sunet.se>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD1421F84F9; Sun, 26 Feb 2012 12:43:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.2
X-Spam-Level:
X-Spam-Status: No, score=-2.2 tagged_above=-999 required=5 tests=[AWL=0.400, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afEC9SyEKtBA; Sun, 26 Feb 2012 12:43:56 -0800 (PST)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id D42D021F84F3; Sun, 26 Feb 2012 12:43:55 -0800 (PST)
Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q1QKhlm8013338 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 26 Feb 2012 21:43:51 +0100 (CET)
Message-ID: <4F4A9982.20600@sunet.se>
Date: Sun, 26 Feb 2012 21:43:46 +0100
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: iesg@ietf.org, draft-ietf-oauth-v2.all@tools.ietf.org, secdir@ietf.org
X-Enigmail-Version: 1.3.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [secdir] secdir review of draft-ietf-oauth-v2-23
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2012 20:43:57 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is a "re-visit" of a review I did of -22 of this specification and so I'm only focusing on significant differences: - - Overall -23 adds clarifications throughout the text and -23 is the better for it. Breaking out TLS requirements to a separate section makes the text more readable too. - - The new section on interoperability talks about future work and profiling but doesn't constrain future profiles in any way. To me this only punts on the issue of interoperability. I understand this is a hard problem. I suggest at least adding a list of parameters and other elements subject to profiling and if possible list any constraints on such profiles. - - Several of the comments I made in my earlier review have been addressed, specifically those dealing with consistent use of terms and normative language. - - I like the text in 10.10 giving advice on generating tokens and credentials. However the text gives specific entropy constraints but doesn't talk about using rate-limiting as protection against online guessing attacks. A good source for this is NIST SP 800-63 Appendix A. Also I'm not sure entropy constraints are appropriate for a protocol specification but barring the introduction of identity assurance for OAuth I don't have a better idea. I suggest noting that these constraints are subject to revision with state of the art in online guessing so implementors don't get too married to these particular numbers. Best Leif Johansson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9KmX4ACgkQ8Jx8FtbMZncBzwCfV0NOmp+I+PQI1n6vdvtZM8/X HSQAoL2wz8DOCAbMCXwHa4zwUjsMBZon =Jx3y -----END PGP SIGNATURE-----
- [secdir] secdir review of draft-ietf-oauth-v2-23 Leif Johansson