Telechat Review of draft-ietf-ace-oauth-authz-41
review-ietf-ace-oauth-authz-41-secdir-telechat-hallam-baker-2021-05-21-00

Request Review of draft-ietf-ace-oauth-authz
Requested rev. no specific revision (document currently at 45)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2021-03-23
Requested 2021-03-08
Authors Ludwig Seitz, Göran Selander, Erik Wahlstroem, Samuel Erdtman, Hannes Tschofenig
Draft last updated 2021-05-21
Completed reviews Secdir Last Call review of -27 by Stephen Kent (diff)
Genart Last Call review of -27 by Stewart Bryant (diff)
Secdir Telechat review of -41 by Phillip Hallam-Baker (diff)
Assignment Reviewer Phillip Hallam-Baker 
State Completed
Review review-ietf-ace-oauth-authz-41-secdir-telechat-hallam-baker-2021-05-21
Posted at https://mailarchive.ietf.org/arch/msg/secdir/CPy7ePMZUHxeFAax_382GeSqzOI
Reviewed rev. 41 (document currently at 45)
Review result Ready
Review completed: 2021-05-21

Review
review-ietf-ace-oauth-authz-41-secdir-telechat-hallam-baker-2021-05-21

This draft was previously reviewed by Steve Kent for the -27 version. My review therefore mostly consists of checking that the changes recommended have been made and that no new issues have arisen. Note that contrary to the data in the tracker, I was not given the assignment in 2019.

If you decide that you want to use OAUTH for authorization security for Internet of Things, this is a reasonable approach to take. This is not a simple proposition or for the fainthearted. OAuth is built around the various constraints of the browser world to which the constraints of being a constrained device are added.

The issues raised by Steve have all been addressed as far as I can see. It looks good to go but since it is a security spec, ADs should still take note.