Skip to main content

Last Call Review of draft-ietf-oauth-native-apps-11
review-ietf-oauth-native-apps-11-secdir-lc-eastlake-2017-05-26-00

Request Review of draft-ietf-oauth-native-apps
Requested revision No specific revision (document currently at 12)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-05-16
Requested 2017-05-02
Authors William Denniss , John Bradley
Draft last updated 2017-05-26
Completed reviews Secdir Last Call review of -11 by Donald E. Eastlake 3rd (diff)
Opsdir Last Call review of -11 by Zitao Wang (diff)
Genart Last Call review of -10 by Elwyn B. Davies (diff)
Genart Telechat review of -11 by Elwyn B. Davies (diff)
Assignment Reviewer Donald E. Eastlake 3rd
State Completed
Review review-ietf-oauth-native-apps-11-secdir-lc-eastlake-2017-05-26
Reviewed revision 11 (document currently at 12)
Result Has Nits
Completed 2017-05-26
review-ietf-oauth-native-apps-11-secdir-lc-eastlake-2017-05-26-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. Document editors and WG chairs should treat these comments just
like any other last call comments.

The primary goal of this BCP draft is to specify that OAuth 2.0
authorization requests from native apps  should only be made through
external user agents, primarily the user's browser, as opposed to an
embedded user-agent.


Security Considerations

This BCP is all at quite a high level. It talks about interprocess and
world wide web interactions to effectuate OAuth 2.0, mechanisms with
which I am not too familiar. But, all mechanism details are in other
documents.. The recommendations seem reasonable and the beginning of
the Security Considerations section paints a somewhat dismal security
picture compared with that typical of cryptographic or protocol
security.

As best I can tell, it is ready with trivial nits as listed below.


Minor

SSO is used multiple times but never expanded.


Trivial English Improvements

Page 13, Section 8.8
"for native apps to include" -> "that native apps include"

Page , Appendix B
"in an generic manner" -> "in a generic manner"

Page 19, Appendix B.4, 2nd paragraph
Last word of first line and first word of second line are duplicates.


Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com