Skip to main content

Telechat Review of draft-ietf-oauth-proof-of-possession-07
review-ietf-oauth-proof-of-possession-07-secdir-telechat-lonvick-2015-12-10-00

Request Review of draft-ietf-oauth-proof-of-possession
Requested revision No specific revision (document currently at 11)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2015-12-15
Requested 2015-11-26
Authors Michael Jones , John Bradley , Hannes Tschofenig
Draft last updated 2015-12-10
Completed reviews Secdir Telechat review of -07 by Chris M. Lonvick (diff)
Opsdir Telechat review of -07 by Ron Bonica (diff)
Assignment Reviewer Chris M. Lonvick
State Completed
Review review-ietf-oauth-proof-of-possession-07-secdir-telechat-lonvick-2015-12-10
Reviewed revision 07 (document currently at 11)
Result Has Issues
Completed 2015-12-10
review-ietf-oauth-proof-of-possession-07-secdir-telechat-lonvick-2015-12-10-00
Hi,



I have reviewed this document as part of the security directorate's 


ongoing effort to review all IETF documents being processed by the IESG. 


These comments were written primarily for the benefit of the security 


area directors. Document editors and WG chairs should treat these 


comments just like any other last call comments.




Overall, the document looks pretty good.



I'd  recommend taking another look at the Security Considerations 


section. It is sufficient and contains everything that I think needs to 


be said. However, it may be a bit more clear if you separate the 


security concerns of the protocol, from the security concerns of 


credential management and policy. As I see it, the first and last 


paragraphs are concerned with credentials and policy while the middle 


paragraphs have statements about the actual protocol.






As a nit, I would suggest defining PoP at some point. While it's pretty 


obvious, I just like the traditional use of defining it before it's 


used.  :-)




Best regards,
Chris