[secdir] SECDIR review of draft-ietf-oauth-proof-of-possession-07

Chris Lonvick <lonvick.ietf@gmail.com> Wed, 09 December 2015 01:11 UTC

Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 32BE41B2D18; Tue, 8 Dec 2015 17:11:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id EoWjbz9BIXCR; Tue, 8 Dec 2015 17:11:50 -0800 (PST)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 063DE1B2D14; Tue, 8 Dec 2015 17:11:50 -0800 (PST)
Received: by obbww6 with SMTP id ww6so25550096obb.0; Tue, 08 Dec 2015 17:11:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=RHuHpGkmVGyCYbXoUGrfv7gIVc0I1igiMv5bUY14aAs=; b=jNRw9b+iOuvBrE8nBKhEewzfzxXWB8GZyliO8zq2eQ7jwUqqVjtHYjfKokGnFKCOKe 1BRQu7YDdZCrI/eTGDI5pQAxQizOPGU5g+L2BPwObhdrl1leVAV+UAmehXDOwmjh7AjK n20F+RL4v18ASDpJ8Dk17g+LjTCzgmRtm57U1W2vRkU7aywspZUDT2Zd555Ew7x5RnQR 545BJR7pUpTWKM2kkKpKeGFwGrOHdTPM65oW6tAvMIZx7LbO0TpgdDuVBsJ7T9dz/VXJ 93nUdwEHOXM0VqMFypF6Ucg/7GVuOZtctSW7iAD3pOdBNb3DjM5JUmiK/U3u0OqWeNql 6Rqw==
X-Received: by with SMTP id zc1mr2276246obb.23.1449623509406; Tue, 08 Dec 2015 17:11:49 -0800 (PST)
Received: from Chriss-MacBook-Air.local ([2601:2c0:8002:a6f0:40bd:3623:80c3:23e]) by smtp.googlemail.com with ESMTPSA id wk4sm2514573oeb.3.2015. (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 Dec 2015 17:11:49 -0800 (PST)
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-oauth-proof-of-possession.all@tools.ietf
From: Chris Lonvick <lonvick.ietf@gmail.com>
Message-ID: <56677FD4.4070201@gmail.com>
Date: Tue, 8 Dec 2015 19:11:48 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/y6cdRHwNpruvU3hvQ_wpumgww8Y>
Subject: [secdir] SECDIR review of draft-ietf-oauth-proof-of-possession-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 01:11:51 -0000


I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

Overall, the document looks pretty good.

I'd  recommend taking another look at the Security Considerations 
section. It is sufficient and contains everything that I think needs to 
be said. However, it may be a bit more clear if you separate the 
security concerns of the protocol, from the security concerns of 
credential management and policy. As I see it, the first and last 
paragraphs are concerned with credentials and policy while the middle 
paragraphs have statements about the actual protocol.

As a nit, I would suggest defining PoP at some point. While it's pretty 
obvious, I just like the traditional use of defining it before it's 
used.  :-)

Best regards,