[Unbearable] Secdir last call review of draft-ietf-tokbind-https-15

"Tobias Gondrom" <tobias.gondrom@gondrom.org> Mon, 14 May 2018 17:29 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C19D0127076; Mon, 14 May 2018 10:29:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=tobias.gondrom@gondrom.org header.d=gondrom.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id iAIsdueL_BA7; Mon, 14 May 2018 10:29:47 -0700 (PDT)
Received: from gondrom.org (www.gondrom.org []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43395127010; Mon, 14 May 2018 10:29:47 -0700 (PDT)
Received: from seraph (x4dbe7024.dyn.telefonica.de []) by gondrom.org (Postfix) with ESMTPSA id 9DEA7649A9; Mon, 14 May 2018 19:29:44 +0200 (CEST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=GOVXl2firbU3TIMLFOyeMivUHO4R5dgeh2SF+/b0jakpVhah0m7nxsenpHSPozGt2vTnIi/3Q2vs/6y3ukEBhkVlPPUMnyqbYq8O0LLP3c2JO5dNGJywF+WL1IuljyRd4oy1NB65pqzC5/L/FW3hHTVsQlIXtIkWbH3C1oRVdMk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type:X-Mailer:Content-Language:Thread-Index;
From: "Tobias Gondrom" <tobias.gondrom@gondrom.org>
To: <secdir@ietf.org>, <draft-ietf-tokbind-https.all@ietf.org>
Cc: "'IETF Tokbind WG'" <unbearable@ietf.org>, "'Eric Rescorla'" <ekr@rtfm.com>, <ve7jtb@ve7jtb.com>, <leifj@sunet.se>
Date: Mon, 14 May 2018 19:29:44 +0200
Message-ID: <025501d3eba9$2649d690$72dd83b0$@gondrom.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0256_01D3EBB9.E9D40620"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AdPrpfnLEwhpkOtGRqC2ZHR3OgjJ2w==
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/ZTuI8az5yxk1Eql0rovlSuGhFKA>
Subject: [Unbearable] Secdir last call review of draft-ietf-tokbind-https-15
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2018 17:29:50 -0000

Reviewer: Tobias Gondrom

Review result: Ready


I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.

These comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.


Overall the document looks good, ready to go. 

In my review, I did not find any material concerns with the document, and no

It is good that the security considerations part is quite detailed and
reflects the main security risks. 

Additionally also appreciated that privacy considerations are also
reasonably addressed in section 8. In case of this particular protocol time
well spent to spell this out. 


Ready to release. 


Best regards, Tobias



Ps.: apologies for my delay in sending out the review.