IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-oauth-assertions-09

Shawn Emery <shawn.emery@oracle.com> Wed, 06 February 2013 08:38 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 680B721F8510; Wed, 6 Feb 2013 00:38:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EKwKQKZLA0WE; Wed, 6 Feb 2013 00:38:38 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 98D5B21F8501; Wed, 6 Feb 2013 00:38:38 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r168cbtX024572 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 6 Feb 2013 08:38:38 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r168cbuh027817 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Feb 2013 08:38:37 GMT
Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r168cbvx000368; Wed, 6 Feb 2013 02:38:37 -0600
Received: from [10.159.70.158] (/10.159.70.158) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 06 Feb 2013 00:38:36 -0800
Message-ID: <5112164C.3060009@oracle.com>
Date: Wed, 06 Feb 2013 01:37:32 -0700
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:10.0.11) Gecko/20121204 Thunderbird/10.0.11
MIME-Version: 1.0
To: secdir@ietf.org
References: <50A9523F.9070607@oracle.com> <50DFE815.2020501@oracle.com>
In-Reply-To: <50DFE815.2020501@oracle.com>
Content-Type: multipart/alternative; boundary="------------010200040103040708010602"
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: draft-ietf-oauth-assertions.all@tools.ietf.org, iesg@ietf.org
Subject: Re: [secdir] Review of draft-ietf-oauth-assertions-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 08:38:39 -0000

A new version of this draft has been made, 10, which implicitly 
addresses the concerns that I had brought up during the secdir review.

Shawn.
--
On 12/30/12 12:07 AM, Shawn Emery wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security
> area directors. Document editors and WG chairs should treat these
> comments just like any other last call comments.
>
> This internet-draft describes an assertion framework for the OAuth 2.0 protocol.  Given that
> that this is a framework, subsequent drafts would be needed for a deployed mechanism.
>
> The security considerations section does exist and outlines various issues including
> impersonation, replay, and privacy.  The section then suggests ways of mitigating these
> threats.  This seems sufficient, but can there be more guidance on the Assertion ID to
> avoid collision or replay (e.g. length, roll-over, etc.)?
>
> General comments:
>
> None.
>
> Editorial comments:
>
> Redundant wordings, suggested fix:
>
> Old:
>
>   An IEFT URN for use as the "XXXX" value can be requested using
>   the template in An IETF URN Sub-Namespace for OAuth [RFC6755  <http://tools.ietf.org/html/rfc6755>].
>
> New:
>
>   An IEFT URN for use as the "XXXX" value can be requested using
>   the template in [RFC6755  <http://tools.ietf.org/html/rfc6755>].
>
> Shouldn't urn:ietf:params:oauth:grant_type:* be
> urn:ietf:params:oauth:grant-type:*?
>
> s/included yet all/included, yet all/
>
> Shawn.
> --
>
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

v2.23.0 | Report a Bug | By Email