Skip to main content

Last Call Review of draft-ietf-oauth-amr-values-04
review-ietf-oauth-amr-values-04-secdir-lc-meadows-2016-12-08-00

Request Review of draft-ietf-oauth-amr-values
Requested revision No specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-12-13
Requested 2016-11-29
Authors Michael B. Jones , Phil Hunt , Anthony Nadalin
I-D last updated 2016-12-08
Completed reviews Secdir Last Call review of -04 by Catherine Meadows (diff)
Genart Last Call review of -04 by Paul Kyzivat (diff)
Opsdir Last Call review of -04 by Linda Dunbar (diff)
Genart Telechat review of -05 by Paul Kyzivat (diff)
Assignment Reviewer Catherine Meadows
State Completed
Request Last Call review on draft-ietf-oauth-amr-values by Security Area Directorate Assigned
Reviewed revision 04 (document currently at 08)
Result Ready
Completed 2016-12-08
review-ietf-oauth-amr-values-04-secdir-lc-meadows-2016-12-08-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This document establishes a registry for Authentication Method Reference (amr)
values used by the OpenID protocol and defines an initial set of such values.  
The amr claim is already defined and registered in IANA; this document serves
to implement it.  The amr provides a field in which information about the type
of authentication being used is provided, using the amr values.

The authors of the document address both security and privacy concerns,  The
privacy concern is that the amr claim provides information about the form of
authentication used, which could have privacy implications in some cases, and
that this document does not provide any guidance as to how privacy-relevant
credentials, such as biometric information, are stored and protected.  As the
authors point out, the latter is beyond the scope of the document.

The security concerns are mainly derived from those  of the OpenID protocol. 
The authors also warn that amr may be more brittle than another related claim,
acr, since acr provides information about whether a particular set of business
rules were satisfied, while acm only tells you whether a particular type of
authentication was used.  This could lead to a policy that relies on particular
forms of authentication, which would be harder to update as security needs
change.

I think that the authors have done a good job of addressing security and
privacy concerns, and I don’t see any issues here. I consider this document
ready.

Cathy Meadows

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil <mailto:catherine.meadows@nrl.navy.mil>