Re: [secdir] Secdir last call review of draft-ietf-oauth-access-token-jwt-11
Benjamin Kaduk <kaduk@mit.edu> Wed, 07 April 2021 00:44 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6FBB3A37EE; Tue, 6 Apr 2021 17:44:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oqCw95mHAGP5; Tue, 6 Apr 2021 17:44:32 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E12A3A37EA; Tue, 6 Apr 2021 17:44:32 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1370iPcP023791 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 6 Apr 2021 20:44:29 -0400
Date: Tue, 06 Apr 2021 17:44:24 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Joseph Salowey <joe@salowey.net>
Cc: secdir@ietf.org, draft-ietf-oauth-access-token-jwt.all@ietf.org
Message-ID: <20210407004424.GW79563@kduck.mit.edu>
References: <161272369978.20616.15063633580755015902@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <161272369978.20616.15063633580755015902@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/tnxFhu74xuMIefOmz9qxIjXScs8>
Subject: Re: [secdir] Secdir last call review of draft-ietf-oauth-access-token-jwt-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2021 00:44:35 -0000
Thanks for the review, Joe, and thanks Vittorio for the responses. With respect to (3), I did find one spot that seems to implicitly require bearer-token usage (we reference RFC 6750's error handling) that I mentioned in my No Objection ballot. -Ben On Sun, Feb 07, 2021 at 10:48:19AM -0800, Joseph Salowey via Datatracker wrote: > Reviewer: Joseph Salowey > Review result: Has Issues > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The summary of the review is the document has issues. > > 1. (Editorial) What is the relationship between this document and RFC 7523. > They are using JWT for different purposes, but I think it would be useful to > clarify this in the introduction. > > 2. (Issue) The specification does not specify any mandatory to implement for > the recommended asymmetric algorithms. This will not help interop. Perhaps > specify one or both of "RS256" and "ES256". > > 3. (Question) Is it currently possible to use the JWT access token in a mode > other than a bearer token? For example is there a way to bind the JWT to a > verifiable key or identifier. If there is, there should be some discussion of > this in the security considerations. If not, do the authors know if there is > any work planned in this area? > > 4. Genart review pointed out a nit that should be fixed. > > >
- [secdir] Secdir last call review of draft-ietf-oa… Joseph Salowey via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Vittorio Bertocci
- Re: [secdir] Secdir last call review of draft-iet… Joseph Salowey
- Re: [secdir] Secdir last call review of draft-iet… Benjamin Kaduk