Re: [secdir] SECDIR review of draft-ietf-oauth-proof-of-possession-07
Chris Lonvick <lonvick.ietf@gmail.com> Thu, 10 December 2015 00:58 UTC
Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5BE01A6F6E; Wed, 9 Dec 2015 16:58:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pj3w5bAOuN6Q; Wed, 9 Dec 2015 16:58:12 -0800 (PST)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C3D1A6F4C; Wed, 9 Dec 2015 16:58:11 -0800 (PST)
Received: by oige206 with SMTP id e206so36614557oig.2; Wed, 09 Dec 2015 16:58:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=k+lOL85o1YbunGemQdhNS0qOpmZuhIDcVc7rgSAWWM8=; b=AFuEav+PYn6F4WHdoyt6AkQLM9XQb9gyR9JOJAhUlVcjURCY8p9jGUaxeBsCtemVmH lXLKcNDnnxoM7wupW3X+TbUOXDu8rwVUBwAAfSSXK11HsYhwLZiH2u7fJx3Zpv9ab8jh kPnVnZ47Ijc9ZCQ03fAC+hhHw919kH0dHVcDaidfBYSOk6Gre6FXLBGAu1MWpkuPQKSP VoipgRXGA1QdtUQT5ynmMDJcKoXUMLhxJaQTiiNl//mUhWDQycTMF14v5is1WaOwMsE7 p00iKOHSprYMAUBrNcRjtyet8xXbq3o0KDHVzou04tyx/jxfRi4Omi3qOFGlzfqi/5ll Lu0A==
X-Received: by 10.202.51.138 with SMTP id z132mr6761082oiz.39.1449709091226; Wed, 09 Dec 2015 16:58:11 -0800 (PST)
Received: from Chriss-MacBook-Air.local ([2601:2c0:8002:a6f0:180:8279:cc0f:32ce]) by smtp.googlemail.com with ESMTPSA id y75sm4785809oie.6.2015.12.09.16.58.10 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 09 Dec 2015 16:58:10 -0800 (PST)
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-oauth-proof-of-possession.all@tools.ietf.org
References: <56677FD4.4070201@gmail.com>
From: Chris Lonvick <lonvick.ietf@gmail.com>
Message-ID: <5668CE21.1030700@gmail.com>
Date: Wed, 09 Dec 2015 18:58:09 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <56677FD4.4070201@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/CvBeDYACCqkG5lGMvwR66nwETzo>
Subject: Re: [secdir] SECDIR review of draft-ietf-oauth-proof-of-possession-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 00:58:14 -0000
Shoot! I cut-n-pasted an incorrect email address yesterday. Resending to get this to the authors and everyone. Sorry for the dup's to some people. Best regards, Chris On 12/8/15 7:11 PM, Chris Lonvick wrote: > Hi, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > Overall, the document looks pretty good. > > I'd recommend taking another look at the Security Considerations > section. It is sufficient and contains everything that I think needs > to be said. However, it may be a bit more clear if you separate the > security concerns of the protocol, from the security concerns of > credential management and policy. As I see it, the first and last > paragraphs are concerned with credentials and policy while the middle > paragraphs have statements about the actual protocol. > > As a nit, I would suggest defining PoP at some point. While it's > pretty obvious, I just like the traditional use of defining it before > it's used. :-) > > Best regards, > Chris >
- [secdir] SECDIR review of draft-ietf-oauth-proof-… Chris Lonvick
- Re: [secdir] SECDIR review of draft-ietf-oauth-pr… Chris Lonvick
- Re: [secdir] SECDIR review of draft-ietf-oauth-pr… Mike Jones