Skip to main content

Last Call Review of draft-ietf-ace-oauth-params-06
review-ietf-ace-oauth-params-06-secdir-lc-kaufman-2019-12-24-00

Request Review of draft-ietf-ace-oauth-params
Requested revision No specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2019-12-13
Requested 2019-11-29
Authors Ludwig Seitz
Draft last updated 2019-12-24
Completed reviews Secdir Last Call review of -06 by Charlie Kaufman (diff)
Genart Last Call review of -06 by Elwyn B. Davies (diff)
Secdir Telechat review of -13 by Charlie Kaufman (diff)
Genart Telechat review of -13 by Elwyn B. Davies (diff)
Assignment Reviewer Charlie Kaufman
State Completed
Review review-ietf-ace-oauth-params-06-secdir-lc-kaufman-2019-12-24
Posted at https://mailarchive.ietf.org/arch/msg/secdir/KaYEiThsRWP6K3QZ4OPIT8TFL84
Reviewed revision 06 (document currently at 16)
Result Has Nits
Completed 2019-12-12
review-ietf-ace-oauth-params-06-secdir-lc-kaufman-2019-12-24-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document only exists because of a scheduling issue between the ACE and
OAUTH working groups. The ACE working group needed some additional OAUTH
extensions added more quickly that the OAUTH group could manage to do it. This
document is intended to only exist until the OAUTH group can make the
corresponding changes. As such, it really doesn't have security considerations
beyond those in the document it modifies.

The security considerations section says (and I agree):

This document is an extension to [I-D.ietf-ace-oauth-authz]. All security
considerations from that document apply here as well.

Some acronyms that were not defined (but this might be OK in the context of
this being a modification to another document): AS, RS, CoAP, cnf, CBOR, pop,
CWT

A few typos / odd phrasing:

Abstract: whishes -> wishes
Appendix A: possesion -> possession

>From Section 2:
Note that the term "endpoint" is used here following its OAuth 2.0 [RFC6749]
definition, which is to denote resources such as token and introspection at the
AS and authz-info at the RS.

Really? The term "endpoint" refers to tokens and authz-info data structures?
This seems unlikely.

Continuing in Section 2:
The CoAP [RFC7252] definition, which is "An entity participating in the CoAP
protocol" is not used in this specification.

Why is a definition that does not apply relevant to this document?