[secdir] Secdir last call review of draft-ietf-tokbind-protocol-16
Yoav Nir <ynir.ietf@gmail.com> Fri, 24 November 2017 19:19 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B226C1293D6; Fri, 24 Nov 2017 11:19:25 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Yoav Nir <ynir.ietf@gmail.com>
To: secdir@ietf.org
Cc: draft-ietf-tokbind-protocol.all@ietf.org, unbearable@ietf.org, ietf@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.66.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151155116566.9001.9710010900094084736@ietfa.amsl.com>
Date: Fri, 24 Nov 2017 11:19:25 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/QlnjmMtul5vjG1xEWpWrWszXCnQ>
Subject: [secdir] Secdir last call review of draft-ietf-tokbind-protocol-16
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Nov 2017 19:19:26 -0000
Reviewer: Yoav Nir Review result: Ready The document seems ready with two minor editorial nits: 1. The first sentence is as follows: Often, servers generate various security tokens (e.g. HTTP cookies, OAuth [RFC6749] tokens) If you reference the OAuth RFC, you should also reference the HTTP cookie RFC (RFC 6265) 2. The term "bound token" appears in section 2 without any definition. Perhaps add something like "An application token contained in a token binding message is called a bound token" Other than that, the document is well written and the security issues are dealt with well in sections 4 and 5 as well as the security considerations section (7).