Skip to main content

Telechat Review of draft-ietf-oauth-pop-architecture-06
review-ietf-oauth-pop-architecture-06-secdir-telechat-lepinski-2015-12-17-00

Request Review of draft-ietf-oauth-pop-architecture
Requested revision No specific revision (document currently at 08)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2015-12-15
Requested 2015-11-26
Authors Phil Hunt , Justin Richer , William Mills , Prateek Mishra , Hannes Tschofenig
Draft last updated 2015-12-17
Completed reviews Genart Telechat review of -07 by Matthew A. Miller (diff)
Genart Telechat review of -07 by Matthew A. Miller (diff)
Secdir Telechat review of -06 by Matt Lepinski (diff)
Opsdir Last Call review of -07 by Ron Bonica (diff)
Opsdir Last Call review of -07 by Lionel Morand (diff)
Assignment Reviewer Matt Lepinski
State Completed
Review review-ietf-oauth-pop-architecture-06-secdir-telechat-lepinski-2015-12-17
Reviewed revision 06 (document currently at 08)
Result Ready
Completed 2015-12-17
review-ietf-oauth-pop-architecture-06-secdir-telechat-lepinski-2015-12-17-00
I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors.  Document editors and WG chairs should treat

these comments just like any other comments.

This document is ready. I have one minor suggestion (see below), but the
document appears seems ready for publication.

This is the architecture and requirements document associated with OAUTH 2.0
Proof of Possession (see

draft-ietf-oauth-proof-of-possession and
draft-ietf-oauth-pop-key-distribution). The use-cases (and associated security
concerns) that motivate proof of possession mechanisms are clearly laid out in
the document, as our the security requirements for an acceptable proof of
possession mechanism.

The document assumes knowledge of RFC 6819 -- the OAUTH 2.0 Threat Model and
Security Considerations. (In particular, the architectural assumptions,
security properties and threat model laid out in 6819 seem vital to
understanding the security requirements in this document.) Therefore, I would
like to see an explicit reference to 6819 in the Security Considerations
section of this document. That is, it would be helpful to make clear that the
Threat Model and Architectural Assumptions in 6819 apply to this document.

- Matt Lepinski