Last Call Review of draft-ietf-oauth-access-token-jwt-11
review-ietf-oauth-access-token-jwt-11-secdir-lc-salowey-2021-02-07-00
Request | Review of | draft-ietf-oauth-access-token-jwt |
---|---|---|
Requested revision | No specific revision (document currently at 13) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2021-02-09 | |
Requested | 2021-01-26 | |
Authors | Vittorio Bertocci | |
I-D last updated | 2021-02-07 | |
Completed reviews |
Genart Last Call review of -11
by Roni Even
(diff)
Secdir Last Call review of -11 by Joseph A. Salowey (diff) Secdir Telechat review of -12 by Joseph A. Salowey (diff) |
|
Assignment | Reviewer | Joseph A. Salowey |
State | Completed | |
Request | Last Call review on draft-ietf-oauth-access-token-jwt by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/V_2bUEdFvQuso9XoexrXt2waEyg | |
Reviewed revision | 11 (document currently at 13) | |
Result | Has issues | |
Completed | 2021-02-07 |
review-ietf-oauth-access-token-jwt-11-secdir-lc-salowey-2021-02-07-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is the document has issues. 1. (Editorial) What is the relationship between this document and RFC 7523. They are using JWT for different purposes, but I think it would be useful to clarify this in the introduction. 2. (Issue) The specification does not specify any mandatory to implement for the recommended asymmetric algorithms. This will not help interop. Perhaps specify one or both of "RS256" and "ES256". 3. (Question) Is it currently possible to use the JWT access token in a mode other than a bearer token? For example is there a way to bind the JWT to a verifiable key or identifier. If there is, there should be some discussion of this in the security considerations. If not, do the authors know if there is any work planned in this area? 4. Genart review pointed out a nit that should be fixed.