[secdir] secdir review of draft-ietf-oauth-v2-23

Leif Johansson <leifj@sunet.se> Sun, 26 February 2012 20:43 UTC

Return-Path: <leifj@sunet.se>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD1421F84F9; Sun, 26 Feb 2012 12:43:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.2
X-Spam-Level:
X-Spam-Status: No, score=-2.2 tagged_above=-999 required=5 tests=[AWL=0.400, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afEC9SyEKtBA; Sun, 26 Feb 2012 12:43:56 -0800 (PST)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id D42D021F84F3; Sun, 26 Feb 2012 12:43:55 -0800 (PST)
Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q1QKhlm8013338 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 26 Feb 2012 21:43:51 +0100 (CET)
Message-ID: <4F4A9982.20600@sunet.se>
Date: Sun, 26 Feb 2012 21:43:46 +0100
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: iesg@ietf.org, draft-ietf-oauth-v2.all@tools.ietf.org, secdir@ietf.org
X-Enigmail-Version: 1.3.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [secdir] secdir review of draft-ietf-oauth-v2-23
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2012 20:43:57 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This is a "re-visit" of a review I did of -22 of this specification
and so I'm only focusing on significant differences:

- - Overall -23 adds clarifications throughout the text and -23 is
the better for it. Breaking out TLS requirements to a separate
section makes the text more readable too.

- - The new section on interoperability talks about future work and
profiling but doesn't constrain future profiles in any way. To me
this only punts on the issue of interoperability. I understand this
is a hard problem. I suggest at least adding a list of parameters
and other elements subject to profiling and if possible list any
constraints on such profiles.

- - Several of the comments I made in my earlier review have been
addressed, specifically those dealing with consistent use of terms
and normative language.

- - I like the text in 10.10 giving advice on generating tokens and
credentials. However the text gives specific entropy constraints
but doesn't talk about using rate-limiting as protection against
online guessing attacks. A good source for this is NIST SP 800-63
Appendix A. Also I'm not sure entropy constraints are appropriate
for a protocol specification but barring the introduction of
identity assurance for OAuth I don't have a better idea. I suggest
noting that these constraints are subject to revision with state of
the art in online guessing so implementors don't get too married
to these particular numbers.

	Best
	Leif Johansson

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9KmX4ACgkQ8Jx8FtbMZncBzwCfV0NOmp+I+PQI1n6vdvtZM8/X
HSQAoL2wz8DOCAbMCXwHa4zwUjsMBZon
=Jx3y
-----END PGP SIGNATURE-----