IETF Logo Mail Archive

[secdir] Secdir review of draft-ietf-ace-oauth-params-13

Charlie Kaufman <charliekaufman@outlook.com> Sat, 13 March 2021 04:29 UTC

Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7FCB3A1575; Fri, 12 Mar 2021 20:29:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqROGYr09ONp; Fri, 12 Mar 2021 20:29:29 -0800 (PST)
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam08olkn2059.outbound.protection.outlook.com [40.92.46.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED69B3A1573; Fri, 12 Mar 2021 20:29:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d2MxBqv7+IIUtoVwr306hfakhGjLYdejLpHHmJOxIUROdEa+ZIkGYRHosFNDmfKfYNUt2kAGugwuV6e11B9eRPjkkAJrnthD1D9MzbeVX+fFTDlQqpEmz4ZjOSd35gVFO8av0hTSxPmcTcCpUKyGtxS731oxRXKZyx1xeVqCdLuwnwU9PdhdDC09CSpKcaJ1qPRFAHqd4JPWxdgxfme2fdoa2jdTmWrqz9dQpURZm46jBlikJSXFAz8qEwToGwifiiiLs9xflUh+poHx04H3xMOOV+wNbgu0/H3pUti8u4NuBICCRQi6unIfTjKeLFOMn32oR5/u+GIcVeA1Olew+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WEPAcaKPAS95ojrnYM0W735AMdK4oL4LarJ89aBVvMg=; b=huOUFeBIkP9d29FpKcBDBWSxsezMid/1OVB3bFzDuUy/YJMcq2o6hbrZQQS+jEIlAh8csZmI2gVOLYG08eE8k+/Ddjs3kFHzJZw49K9J/AtyAdUw/FEfaC+Ktn6/kjFPtfUb7JVTQWomBgOZ27ARpYFugJWwTLZyW4SekZx3XgSQ1GUo06FN+1U3R0RzCu+bJHrTzd4QkXPFkmny/gPReYOzf37yRiB5RXrlxMxQRkDpp/lQmLoiyIA/MaLYBa6RQY83TmLANpmOA8YnN2gooIWaJPVOtEWWKkGcMN52SA5HI8UQTxpTWMeRgvwekYxccQ+PVx3AeRUdoKqmdBrcsg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WEPAcaKPAS95ojrnYM0W735AMdK4oL4LarJ89aBVvMg=; b=IGLHJss6pRaBvVyjylvFPHJrnoqsjDr/4W6uBQxMKq4lgPWmTSeWJO78kBbWvobR9TFbC2hFqZXFXmbBeljZUkZ/MCwi4wo7ESAextubDXaRe9Jt2mxN4HJD9679U9xaNvv7uZtpMCP6vt1XEl8EBpSeKROz1u1QO4/W2itmarnX/OTkpoKpHJLGCapEYcO+2YWLIBekSUiDXFbVxlqbqQm4ClvJUdPiQBIhQU2YO1RsYRKQM0mVPzvuffoeOYed3jRlAjiqIm3kUUBxMn2x61YfNhYwpfmyCPb/pFz6FjXJOGS+ZBWb2L65Cks5TKAnElkKUjD1xrni7aa2+eEbQQ==
Received: from BN3NAM04FT034.eop-NAM04.prod.protection.outlook.com (10.152.92.59) by BN3NAM04HT115.eop-NAM04.prod.protection.outlook.com (10.152.93.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.32; Sat, 13 Mar 2021 04:29:27 +0000
Received: from SN6PR1901MB4688.namprd19.prod.outlook.com (2a01:111:e400:7e4e::51) by BN3NAM04FT034.mail.protection.outlook.com (2a01:111:e400:7e4e::65) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.32 via Frontend Transport; Sat, 13 Mar 2021 04:29:27 +0000
Received: from SN6PR1901MB4688.namprd19.prod.outlook.com ([fe80::2da4:eb7e:cc30:8f3f]) by SN6PR1901MB4688.namprd19.prod.outlook.com ([fe80::2da4:eb7e:cc30:8f3f%5]) with mapi id 15.20.3933.031; Sat, 13 Mar 2021 04:29:27 +0000
From: Charlie Kaufman <charliekaufman@outlook.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-ace-oauth-params.all@ietf.org" <draft-ietf-ace-oauth-params.all@ietf.org>
Thread-Topic: Secdir review of draft-ietf-ace-oauth-params-13
Thread-Index: AQHXF8FApysIqRVVz0KRxyy3XqpVkQ==
Date: Sat, 13 Mar 2021 04:29:27 +0000
Message-ID: <SN6PR1901MB4688950673A7C5EC65A4BC89DF6E9@SN6PR1901MB4688.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:12E21027A80D1307F9F597636D78D000E73C04BE1C8D8C8BE922BE4C3C37DF3D; UpperCasedChecksum:C825C78DE14A194F912171D9F3330275C79F0A5D3CF66120A73E263AC6E34F00; SizeAsReceived:6798; Count:41
x-tmn: [wZNJzNDiX7xlgXkTSpRUkWI8RboLFaon]
x-ms-publictraffictype: Email
x-incomingheadercount: 41
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 697a0a7e-c51c-463d-1c52-08d8e5d89672
x-ms-traffictypediagnostic: BN3NAM04HT115:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PgDmjSwg/xV6JqPsHCAFiS3Wzi/FnUxPaTe+YAy40kI168j6VQPJ9Yb/BtB/vbqQEAPHQPhCBfZ/l/lv1Xe4CrD29Fkybt5LBue3RaOCWl3dY4vM9FHDnHmYFl0mDYWlfGrdpQSVAYtlg00CsxxS71rTC8wQguNk7SedSqhwixSVfRDC1fOiwL0JaqVzQI+8fePW/EK2SJw1Yvm0MiBsPRI8m/d6VDuccAwS0VZkNIW3HmT7jIb9hk9rOiq0Ebk0n22FgkooveHOZ9F7XN0HSwhpA2TpmBt/LjLg1sWN7aQcPdnMnc/v7MQ2KXiMmjtluw+0tYomlihWioMbzbRnJZETDYvsjPqp4MGLW0tKY16DzlANc0Dypsj3BgTcz1kxWNSEZui8smiU4/NoLGNERA==
x-ms-exchange-antispam-messagedata: bvPiwkEzl4ysd97f4AmchSd7oSYBDPP9jmm2TpcPk7gos+Yuc9PgkKSLZtmWixM+7cj7jRLnKzQJh5dWPA7TdL2HCfC4p0uzGl7EW8KWBzBoX6Weqtg3ZPDUEEZWGwc7t0DTgDQej2XgAkv6fhv1Fg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SN6PR1901MB4688950673A7C5EC65A4BC89DF6E9SN6PR1901MB4688_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-AuthSource: BN3NAM04FT034.eop-NAM04.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 697a0a7e-c51c-463d-1c52-08d8e5d89672
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2021 04:29:27.2272 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3NAM04HT115
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/SpVy7sypj7rOpb8IZXLHBvV3EtU>
Subject: [secdir] Secdir review of draft-ietf-ace-oauth-params-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Mar 2021 04:29:31 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This is a re-review; I reviewed version -06 in December 2019.

In the intervening versions, the specification was simplified somewhat at the cost of removing support for key rollover of asymmetric keys in certain scenarios. A section was added "Requirements when using asymmetric keys" which contained what I considered a confusing reference to DTLS, but it does not make the spec ambiguous.

This is a small extension to [I-D.ietf-ace-oauth-authz] and is separate from that document for technical reasons that I don't understand but which seem plausible.

The security considerations section says simply (and I agree):

This document is an extension to [I-D.ietf-ace-oauth-authz]. All security considerations from that document apply here as well.

All of the nits mentioned in the previous review have been corrected.

v2.23.0 | Report a Bug | By Email