Last Call Review of draft-ietf-oauth-dpop-12
review-ietf-oauth-dpop-12-secdir-lc-schwartz-2023-01-20-00
| Request | Review of | draft-ietf-oauth-dpop |
|---|---|---|
| Requested revision | No specific revision (document currently at 16) | |
| Type | IETF Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2023-01-20 | |
| Requested | 2023-01-06 | |
| Authors | Daniel Fett , Brian Campbell , John Bradley , Torsten Lodderstedt , Michael B. Jones , David Waite | |
| I-D last updated | 2023-09-18 (Latest revision 2023-04-13) | |
| Completed reviews |
Secdir IETF Last Call review of -12
by Benjamin M. Schwartz
(diff)
|
|
| Assignment | Reviewer | Benjamin M. Schwartz |
| State | Completed | |
| Request | IETF Last Call review on draft-ietf-oauth-dpop by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/GJcq5udPGzaw4gTMt2vhQ8aSj8U | |
| Reviewed revision | 12 (document currently at 16) | |
| Result | Ready | |
| Completed | 2023-01-20 |
review-ietf-oauth-dpop-12-secdir-lc-schwartz-2023-01-20-00
This is a very mature, carefully drafted specification. Question: Under Dynamic Client Registration, do we need a mechanism for the client learn the required signature algorithms? In general, there is no discussion of how mutually acceptable signature algorithms might be negotiated. Unlike cryptographic nonces, it is acceptable for clients to use the same nonce multiple times, and for the server to accept the same nonce multiple times. This suggests that there may be another term that is better than "nonce", such as "epoch", "session ID", or "tag". Section 11.4: This grant needs to be "silent", i.e., not require interaction with the user. Why? Surely an occasional user authentication refresh is not such a red flag to ordinary users.