Telechat Review of draft-ietf-oauth-proof-of-possession-07
review-ietf-oauth-proof-of-possession-07-secdir-telechat-lonvick-2015-12-10-00
Request | Review of | draft-ietf-oauth-proof-of-possession |
---|---|---|
Requested revision | No specific revision (document currently at 11) | |
Type | Telechat Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2015-12-15 | |
Requested | 2015-11-26 | |
Authors | Michael B. Jones , John Bradley , Hannes Tschofenig | |
I-D last updated | 2015-12-10 | |
Completed reviews |
Secdir Telechat review of -07
by Chris M. Lonvick
(diff)
Opsdir Telechat review of -07 by Ron Bonica (diff) |
|
Assignment | Reviewer | Chris M. Lonvick |
State | Completed | |
Request | Telechat review on draft-ietf-oauth-proof-of-possession by Security Area Directorate Assigned | |
Reviewed revision | 07 (document currently at 11) | |
Result | Has issues | |
Completed | 2015-12-10 |
review-ietf-oauth-proof-of-possession-07-secdir-telechat-lonvick-2015-12-10-00
Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Overall, the document looks pretty good. I'd recommend taking another look at the Security Considerations section. It is sufficient and contains everything that I think needs to be said. However, it may be a bit more clear if you separate the security concerns of the protocol, from the security concerns of credential management and policy. As I see it, the first and last paragraphs are concerned with credentials and policy while the middle paragraphs have statements about the actual protocol. As a nit, I would suggest defining PoP at some point. While it's pretty obvious, I just like the traditional use of defining it before it's used. :-) Best regards, Chris