[secdir] SECDIR review of draft-ietf-oauth-discovery-07
Donald Eastlake <d3e3e3@gmail.com> Wed, 25 October 2017 02:32 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9917C13ACA2; Tue, 24 Oct 2017 19:32:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ElvLKRIwZ-L5; Tue, 24 Oct 2017 19:32:09 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 297CD13AC0E; Tue, 24 Oct 2017 19:32:06 -0700 (PDT)
Received: by mail-oi0-x229.google.com with SMTP id a132so40672141oih.11; Tue, 24 Oct 2017 19:32:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=2sKqPxv28dUyygoLV9++iBytE9PM+yBhahD293JpqJI=; b=dJBQJUSzrsOiqSk9ni9us0HE0FR/lwu/FSE/ohjLRb5Z00/RUpIlaSFA0F3L1tVuEQ qlNt5A8ILM5azVfJBpQYI3dIg4J110RrDwvUG/X86f95Nlzmf/SsO9Op5T0gN5aB/h4K Bmpnl+3WWF+64J2pMsW8NnUnr4AaEbUI0iyPWFsY7MN5nI1wwXblFWFLx1G9gTKc1+Iz ++40CiU7edPhybdrc3uwnc73oakGAuwWCYXoysap5137kBiZidOXRTRkDKYum0mXO1kE GS1qmQlqwrNrOCstvjJwiIGjSfDhQMYfnybMvEOK8x47uORXt9EF5jKSN6aoY1vO0Ojq CULg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=2sKqPxv28dUyygoLV9++iBytE9PM+yBhahD293JpqJI=; b=j5IZOAUNvFbVGZSNx7Y4eB2OqemRWasG6huXUvMYsgkoeAyZ06KsAO+1eYBx6hiUGW aequm8kfhfx1mZqW8ut7JtS/3ZP3875SWiexJOyiCWHLestOXIIuOLzACttfXFLcJoTW D0mE7RKpVIugJmUpF2YDCtSs60sajFm0eV0clP4kiWT3USYTGeCcwyw5qq/iIuW67i0W N7XG+GTfiNXO3Jouz0APKE6qxCjw/mFwyI2moUuU0g9SPZsXd7V0mgK9oIg7Vg51sPF2 R63VFBYO5LChLs3L0EvKPAoqkZc+msRPwxf5cXQDr7iRGANCkXZSpEwrDlD5RsUrapm1 xuiQ==
X-Gm-Message-State: AMCzsaUQwpFVlVJtk65EFXYGWYwf6HsivtyZErmHwesNTMNUV9bGg49U 0jpfiJ0AMUfBlNpkHzdjrA6xlt6oyyHr5yeBNR6FsatX
X-Google-Smtp-Source: ABhQp+TLeo5gSn7F23wUvhjb12TnMEuwMnTYuMrbOBix8sVk9Qoln3ersBcdTfs46YTP15H9yQQFfCMzJZv3MqIdUNk=
X-Received: by 10.202.72.75 with SMTP id v72mr359640oia.46.1508898725134; Tue, 24 Oct 2017 19:32:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.168.73.194 with HTTP; Tue, 24 Oct 2017 19:31:49 -0700 (PDT)
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 24 Oct 2017 22:31:49 -0400
Message-ID: <CAF4+nEFHvwcJ4N=A=cjQC+wN4P9grRGwimHHoSDhCO+m0Xgj3A@mail.gmail.com>
To: "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-oauth-discovery@ietf.org
Cc: "secdir@ietf.org" <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="001a113dc6a88385c9055c55dc7f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ES9tgrRBGr8tetoGBwosdOPuYKg>
Subject: [secdir] SECDIR review of draft-ietf-oauth-discovery-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 02:32:10 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is draft is ready with one nit. This draft defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. While I am not deeply familiar with this area of security technology, the extensive Security Considerations section seems thorough and correct as far as I can see. Nit: The reference to RFC 5226 should probably be updated to RFC 8126 Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 <(508)%20333-2270> (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com
- [secdir] SECDIR review of draft-ietf-oauth-discov… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-oauth-di… Mike Jones
- Re: [secdir] SECDIR review of draft-ietf-oauth-di… Mike Jones