[secdir] Secdir review of draft-ietf-oauth-saml2-bearer-21

Vincent Roca <vincent.roca@inria.fr> Tue, 14 October 2014 15:11 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1F1581A8901; Tue, 14 Oct 2014 08:11:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.335
X-Spam-Status: No, score=-7.335 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id R-gHLuQrLi5Q; Tue, 14 Oct 2014 08:11:30 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 859F01A8937; Tue, 14 Oct 2014 08:11:01 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.04,717,1406584800"; d="scan'208,217";a="101103430"
Received: from geve.inrialpes.fr ([]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES128-SHA; 14 Oct 2014 17:10:59 +0200
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6A75C438-C831-4449-8481-837FF0735E52"
Date: Tue, 14 Oct 2014 17:10:59 +0200
Message-Id: <AEBDE45E-963A-47B5-997F-416562FE1B32@inria.fr>
To: IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-oauth-saml2-bearer@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/dlYy8urDMcjPPe1y3g_OkIDd7CM
Subject: [secdir] Secdir review of draft-ietf-oauth-saml2-bearer-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 15:11:44 -0000


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

IMHO, the document is almost ready. I just have minor comments:

SAML and OAUTH are already covered by extensive, detailed security and privacy 
considerations sections.

I agree with the authors there is no need to duplicate text in the present document.
However I have two comments:

1- it is mentioned that replay attack protection is not mandatory, but there is no
justification. On the opposite, protection against replay attacks is mentioned at
several places in [OASIS.saml-sec-consider-2.0-os] (e.g., 6.1.2, 6.4.5, 6.5.2, 6.5.6, I don’t know to what extent the situation differs, but I’m curious to know
why it is so.

2- [OASIS.saml-sec-consider-2.0-os] reference does not include any URL. It’s probably
worth to add it.