[secdir] Secdir review of draft-ietf-oauth-saml2-bearer-21
Vincent Roca <vincent.roca@inria.fr> Tue, 14 October 2014 15:11 UTC
Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F1581A8901; Tue, 14 Oct 2014 08:11:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.335
X-Spam-Level:
X-Spam-Status: No, score=-7.335 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R-gHLuQrLi5Q; Tue, 14 Oct 2014 08:11:30 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 859F01A8937; Tue, 14 Oct 2014 08:11:01 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.04,717,1406584800"; d="scan'208,217";a="101103430"
Received: from geve.inrialpes.fr ([194.199.24.116]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES128-SHA; 14 Oct 2014 17:10:59 +0200
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6A75C438-C831-4449-8481-837FF0735E52"
Date: Tue, 14 Oct 2014 17:10:59 +0200
Message-Id: <AEBDE45E-963A-47B5-997F-416562FE1B32@inria.fr>
To: IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-oauth-saml2-bearer@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/dlYy8urDMcjPPe1y3g_OkIDd7CM
Subject: [secdir] Secdir review of draft-ietf-oauth-saml2-bearer-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 15:11:44 -0000
Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. IMHO, the document is almost ready. I just have minor comments: SAML and OAUTH are already covered by extensive, detailed security and privacy considerations sections. I agree with the authors there is no need to duplicate text in the present document. However I have two comments: 1- it is mentioned that replay attack protection is not mandatory, but there is no justification. On the opposite, protection against replay attacks is mentioned at several places in [OASIS.saml-sec-consider-2.0-os] (e.g., 6.1.2, 6.4.5, 6.5.2, 6.5.6, 7.1.1.4). I don’t know to what extent the situation differs, but I’m curious to know why it is so. 2- [OASIS.saml-sec-consider-2.0-os] reference does not include any URL. It’s probably worth to add it. http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf Cheers, Vincent
- [secdir] Secdir review of draft-ietf-oauth-saml2-… Vincent Roca
- Re: [secdir] Secdir review of draft-ietf-oauth-sa… Brian Campbell
- [secdir] Secdir review of draft-ietf-dart-dscp-rt… Tina TSOU
- Re: [secdir] Secdir review of draft-ietf-dart-dsc… Black, David