Telechat Review of draft-ietf-oauth-pop-architecture-06
review-ietf-oauth-pop-architecture-06-secdir-telechat-lepinski-2015-12-17-00
| Request | Review of | draft-ietf-oauth-pop-architecture |
|---|---|---|
| Requested revision | No specific revision (document currently at 08) | |
| Type | Telechat Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2015-12-15 | |
| Requested | 2015-11-26 | |
| Authors | Phil Hunt , Justin Richer , William Mills , Prateek Mishra , Hannes Tschofenig | |
| Draft last updated | 2015-12-17 | |
| Completed reviews |
Genart Telechat review of -07
by
Matthew A. Miller
(diff)
Genart Telechat review of -07 by Matthew A. Miller (diff) Secdir Telechat review of -06 by Matt Lepinski (diff) Opsdir Last Call review of -07 by Ron Bonica (diff) Opsdir Last Call review of -07 by Lionel Morand (diff) |
|
| Assignment | Reviewer | Matt Lepinski |
| State | Completed | |
| Review |
review-ietf-oauth-pop-architecture-06-secdir-telechat-lepinski-2015-12-17
|
|
| Reviewed revision | 06 (document currently at 08) | |
| Result | Ready | |
| Completed | 2015-12-17 |
review-ietf-oauth-pop-architecture-06-secdir-telechat-lepinski-2015-12-17-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other comments. This document is ready. I have one minor suggestion (see below), but the document appears seems ready for publication. This is the architecture and requirements document associated with OAUTH 2.0 Proof of Possession (see draft-ietf-oauth-proof-of-possession and draft-ietf-oauth-pop-key-distribution). The use-cases (and associated security concerns) that motivate proof of possession mechanisms are clearly laid out in the document, as our the security requirements for an acceptable proof of possession mechanism. The document assumes knowledge of RFC 6819 -- the OAUTH 2.0 Threat Model and Security Considerations. (In particular, the architectural assumptions, security properties and threat model laid out in 6819 seem vital to understanding the security requirements in this document.) Therefore, I would like to see an explicit reference to 6819 in the Security Considerations section of this document. That is, it would be helpful to make clear that the Threat Model and Architectural Assumptions in 6819 apply to this document. - Matt Lepinski