Last Call Review of draft-ietf-oauth-native-apps-11
review-ietf-oauth-native-apps-11-secdir-lc-eastlake-2017-05-26-00
| Request | Review of | draft-ietf-oauth-native-apps |
|---|---|---|
| Requested revision | No specific revision (document currently at 12) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2017-05-16 | |
| Requested | 2017-05-02 | |
| Authors | William Denniss , John Bradley | |
| Draft last updated | 2017-05-26 | |
| Completed reviews |
Secdir Last Call review of -11
by
Donald E. Eastlake 3rd
(diff)
Opsdir Last Call review of -11 by Zitao Wang (diff) Genart Last Call review of -10 by Elwyn B. Davies (diff) Genart Telechat review of -11 by Elwyn B. Davies (diff) |
|
| Assignment | Reviewer | Donald E. Eastlake 3rd |
| State | Completed | |
| Review |
review-ietf-oauth-native-apps-11-secdir-lc-eastlake-2017-05-26
|
|
| Reviewed revision | 11 (document currently at 12) | |
| Result | Has Nits | |
| Completed | 2017-05-26 |
review-ietf-oauth-native-apps-11-secdir-lc-eastlake-2017-05-26-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The primary goal of this BCP draft is to specify that OAuth 2.0 authorization requests from native apps should only be made through external user agents, primarily the user's browser, as opposed to an embedded user-agent. Security Considerations This BCP is all at quite a high level. It talks about interprocess and world wide web interactions to effectuate OAuth 2.0, mechanisms with which I am not too familiar. But, all mechanism details are in other documents.. The recommendations seem reasonable and the beginning of the Security Considerations section paints a somewhat dismal security picture compared with that typical of cryptographic or protocol security. As best I can tell, it is ready with trivial nits as listed below. Minor SSO is used multiple times but never expanded. Trivial English Improvements Page 13, Section 8.8 "for native apps to include" -> "that native apps include" Page , Appendix B "in an generic manner" -> "in a generic manner" Page 19, Appendix B.4, 2nd paragraph Last word of first line and first word of second line are duplicates. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com