Re: [secdir] secdir review of draft-ietf-oauth-device-flow
Christopher Wood <christopherwood07@gmail.com> Mon, 27 August 2018 02:30 UTC
Return-Path: <christopherwood07@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64CF0130E45; Sun, 26 Aug 2018 19:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YeOkujte4DR; Sun, 26 Aug 2018 19:30:03 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F123C130E44; Sun, 26 Aug 2018 19:30:02 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id u13-v6so541209iti.1; Sun, 26 Aug 2018 19:30:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fX0WUVTsuNp5Z/zNI+jVlwOK4ceAg6u4IFuCX+ibY/U=; b=AQ/kwyCczG0Ff14cUJSu7ylYcI2a0+fRhD9l2TXHdP+6AUlchw+/zg2zi+HDmtX76S LGBzzENfPWXtQ47/H/trRjB4ZEbLCgPwKfOSR3WP10xPE+Qb3drlgyxNmbBfCXz9BhVc 2GNKQnY3Ymu9fQEbqM158KUxaNYNMarKsrL3t0192IRuxX5xupuc6EOk+bNAZijZwDpj J5IpkAkobJaEQZv+oG+LdBkPJzVPsVQS0hAFqKaoGTKkemScg8nPaUyWAIVZEMk21R4u 6k6ThxK7lx+uUeiBsJ6Ot0xCV2CaHlmk5mzjolspuv6FIMPH30oGNfS/12fFt0VINCjr Z3wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fX0WUVTsuNp5Z/zNI+jVlwOK4ceAg6u4IFuCX+ibY/U=; b=F+uAzzRi5hHAFwY2ZVxgIiinVmqUxJFj10qMvBe0Zyf7qV4Cv1E7h5qgRacndZ38Jx boiwA+mKoqB58Mh8IUJ0gsokroayeiiFc5kr/3yU4XmW3aX3b92QskYDfp9dNNtenZ1z gZkeSZnksp9+lXIBeWEu/TQnV2ev7Kmc59QRTW3HJV8uIRuDtJr5xS6IQ3+6LjwhfH/o DiOue5BBy4Z065MtE7y4WgjtaisIL/O7DMWRlOQZq4KHulihuSnkxarhYzFdim2piOzT JbI7ousz7GbdsU7EgTOoR6o0lAUdr8qza3fhggHLFvHrYjv+jvBE/33SdJBNeMfkmg17 BzPQ==
X-Gm-Message-State: APzg51ChvmedGSRX0p+PN8SqY5pX6cDxfRQ7GJdv6ECntjkgTnhrDrEh S8KfApM9o6UePpCgpUSZzQMiXwj8GF4hDTi6a5cG2g==
X-Google-Smtp-Source: ANB0VdY83mp2GO15zr9O0VUAL++ULDiX8RVcjvjkD7iiztm3aOMY2TxH97eB+2J+CKts4k8Mq/L7g/2OJay5qolPeSw=
X-Received: by 2002:a02:3b55:: with SMTP id i21-v6mr8874355jaf.118.1535337002092; Sun, 26 Aug 2018 19:30:02 -0700 (PDT)
MIME-Version: 1.0
References: <E17D37F9-070C-4E9D-9955-0E50F09DA89B@gmail.com> <CAAP42hAqmOZjC1ANjdG=R8QSY1G7as4qR=utRWE-ZD=Yr_FNNQ@mail.gmail.com>
In-Reply-To: <CAAP42hAqmOZjC1ANjdG=R8QSY1G7as4qR=utRWE-ZD=Yr_FNNQ@mail.gmail.com>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Sun, 26 Aug 2018 19:29:51 -0700
Message-ID: <CAO8oSXmY93HovXRETmhmcdkurRN9ovrtziQQDfVDNva=-fhT9Q@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow.all@ietf.org, secdir@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009ed07705746180f3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/pV26UzX7o-bUo-gq7pVbmSLYGgs>
Subject: Re: [secdir] secdir review of draft-ietf-oauth-device-flow
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 02:30:04 -0000
Hi William, Please see inline below. On Wed, Aug 1, 2018 at 5:03 PM William Denniss <wdenniss@google.com> wrote: > > On Tue, Jun 12, 2018 at 5:55 PM, Christopher Wood < > christopherwood07@gmail.com> wrote: > >> Hello, >> >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should treat >> these comments just like any other last call comments. >> >> The summary of my review is: Ready with nits. >> >> Overall, the document is in fine shape. I have a few general comments >> (not quite nits, >> though not quite issues either), listed below: >> >> - Section 3.5, fifth paragraph: Requiring clients to poll at a >> “reasonable” polling interval >> without a suggestion of what is reasonable seems strange. Could you >> suggest a value that’s >> within reason, e.g., every second? >> > > We documented a default of 5s in version 12. > > >> - Section 5.1, first paragraph: It might be useful to point to Section >> 6.1 wherein User Code >> generation is discussed. Right now minimum entropy “requirements” are >> listed without further >> details regarding viable mechanisms. >> > > The authors are still considering this feedback, along with Benjamin > Kaduk's DISCUSS. > > >> - Section 5.2, second paragraph: The text claims that an end user would >> end up “on the >> authorization page of the wrong service.” Can you provide more details >> here? What stops >> the malicious MITM from serving an authorization page that’s >> indistinguishable from the >> legitimate service page? > > > >> - Section 5.3, first paragraph: How specifically does the authorization >> service prevent >> devices from lying when providing “information about the device”? Or, >> alternatively, how >> does the authorization service learn this information? >> > > These 2 also pending. > > >> - Section 5.4: Would it be useful to suggest that clients SHOULD use a >> secure (encrypted >> and authenticated) channel when communicating to the user device? >> > > This section is actually referring to real-world spying, i.e. someone in > the same room as you who can see the TV. Perhaps we need to make that more > clear? > That might help. It seems to be only a matter of clarity, not correctness. > >> >> The remainder of my comments, listed below, are editorial in nature, >> aimed towards improving >> readability of the document. >> >> - Section 1, step (E): This is the first time client polling is mentioned >> without >> discussion of timeouts or server-generated errors. The draft provides >> such details later >> on, so it would be helpful to allude or point to them here. >> > > I believe this is covered in detail in the document, this section is > intending to just be a high-level overview. > > >> - Section 3.3, second paragraph: Please cite TLS upon use (“… in a secure >> TLS-protected >> session.”). >> > > Done, thanks! > > >> - Section 3.3, second paragraph: The text suggests that the server >> informs the user to >> “return to their device.” Perhaps this should be prefaced with a MAY, as >> the client will >> eventually learn that authorization is complete upon polling. >> > > MAY was added, thanks! > > >> - Section 3.3.1, first paragraph: Should it be required that >> “verification_uri_complete” >> is constructed in part from the “verification_uri” and “user_code”? I’m >> not sure this is >> necessary, though the example given is constructed this way. If not >> required, this might be >> worth noting. >> > > The working group considered this, in fact originally we were not going to > have verification_uri_complete and it would just be defined as a > composition of those two values. In the end, the work group decided to make > it separate. The authorization server can combine them to create the > complete verification URI, or may use something else. > > The text currently states the following which I believe covers this: > > "A verification URI that includes the "user_code" (or > other information with the same function as the "user_code"), > designed for non-textual transmission." > > - Section 3.5, first paragraph: s/token endpoint/authentication server? >> > > This section does actually relate to the token endpoint. > Ah, okay. I misunderstood. Thanks! > >> - Section 5.1, third paragraph: This text is mostly redundant with the >> preceding paragraphs. >> I would remove or merge it with the paragraphs above. >> > > I don't agree that it's redundant. Willing to review text if you have a > concrete proposal. > My only recommendation is to remove the paragraph. I think it’s already covered by the preceding paragraphs. That said, I don’t think this is necessary. It’s merely a suggestion. > > Please let me know if you’ve further questions, comments, or concerns. I >> hope this helps. > > It does indeed. Thanks for your changes! Best, Chris
- [secdir] secdir review of draft-ietf-oauth-device… Christopher Wood
- Re: [secdir] secdir review of draft-ietf-oauth-de… William Denniss
- Re: [secdir] secdir review of draft-ietf-oauth-de… Christopher Wood
- Re: [secdir] secdir review of draft-ietf-oauth-de… William Denniss
- Re: [secdir] secdir review of draft-ietf-oauth-de… Christopher Wood