Re: [secdir] SECDIR review of draft-ietf-oauth-proof-of-possession-07

Chris Lonvick <lonvick.ietf@gmail.com> Thu, 10 December 2015 00:58 UTC

Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5BE01A6F6E; Wed, 9 Dec 2015 16:58:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pj3w5bAOuN6Q; Wed, 9 Dec 2015 16:58:12 -0800 (PST)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C3D1A6F4C; Wed, 9 Dec 2015 16:58:11 -0800 (PST)
Received: by oige206 with SMTP id e206so36614557oig.2; Wed, 09 Dec 2015 16:58:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=k+lOL85o1YbunGemQdhNS0qOpmZuhIDcVc7rgSAWWM8=; b=AFuEav+PYn6F4WHdoyt6AkQLM9XQb9gyR9JOJAhUlVcjURCY8p9jGUaxeBsCtemVmH lXLKcNDnnxoM7wupW3X+TbUOXDu8rwVUBwAAfSSXK11HsYhwLZiH2u7fJx3Zpv9ab8jh kPnVnZ47Ijc9ZCQ03fAC+hhHw919kH0dHVcDaidfBYSOk6Gre6FXLBGAu1MWpkuPQKSP VoipgRXGA1QdtUQT5ynmMDJcKoXUMLhxJaQTiiNl//mUhWDQycTMF14v5is1WaOwMsE7 p00iKOHSprYMAUBrNcRjtyet8xXbq3o0KDHVzou04tyx/jxfRi4Omi3qOFGlzfqi/5ll Lu0A==
X-Received: by 10.202.51.138 with SMTP id z132mr6761082oiz.39.1449709091226; Wed, 09 Dec 2015 16:58:11 -0800 (PST)
Received: from Chriss-MacBook-Air.local ([2601:2c0:8002:a6f0:180:8279:cc0f:32ce]) by smtp.googlemail.com with ESMTPSA id y75sm4785809oie.6.2015.12.09.16.58.10 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 09 Dec 2015 16:58:10 -0800 (PST)
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-oauth-proof-of-possession.all@tools.ietf.org
References: <56677FD4.4070201@gmail.com>
From: Chris Lonvick <lonvick.ietf@gmail.com>
Message-ID: <5668CE21.1030700@gmail.com>
Date: Wed, 9 Dec 2015 18:58:09 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <56677FD4.4070201@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/CvBeDYACCqkG5lGMvwR66nwETzo>
Subject: Re: [secdir] SECDIR review of draft-ietf-oauth-proof-of-possession-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 00:58:14 -0000

Shoot! I cut-n-pasted an incorrect email address yesterday. Resending to 
get this to the authors and everyone. Sorry for the dup's to some people.
Best regards,
Chris

On 12/8/15 7:11 PM, Chris Lonvick wrote:
> Hi,
>
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG. These comments were written primarily for the benefit of the 
> security area directors. Document editors and WG chairs should treat 
> these comments just like any other last call comments.
>
> Overall, the document looks pretty good.
>
> I'd  recommend taking another look at the Security Considerations 
> section. It is sufficient and contains everything that I think needs 
> to be said. However, it may be a bit more clear if you separate the 
> security concerns of the protocol, from the security concerns of 
> credential management and policy. As I see it, the first and last 
> paragraphs are concerned with credentials and policy while the middle 
> paragraphs have statements about the actual protocol.
>
> As a nit, I would suggest defining PoP at some point. While it's 
> pretty obvious, I just like the traditional use of defining it before 
> it's used.  :-)
>
> Best regards,
> Chris
>