Last Call Review of draft-ietf-oauth-saml2-bearer-21
review-ietf-oauth-saml2-bearer-21-secdir-lc-roca-2014-10-16-00
Request | Review of | draft-ietf-oauth-saml2-bearer |
---|---|---|
Requested revision | No specific revision (document currently at 23) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2014-10-14 | |
Requested | 2014-09-18 | |
Authors | Brian Campbell , Chuck Mortimore , Michael B. Jones | |
I-D last updated | 2014-10-16 | |
Completed reviews |
Genart Last Call review of -21
by Meral Shirazipour
(diff)
Genart Telechat review of -21 by Meral Shirazipour (diff) Secdir Last Call review of -21 by Vincent Roca (diff) Opsdir Last Call review of -21 by Tom Taylor (diff) |
|
Assignment | Reviewer | Vincent Roca |
State | Completed | |
Request | Last Call review on draft-ietf-oauth-saml2-bearer by Security Area Directorate Assigned | |
Reviewed revision | 21 (document currently at 23) | |
Result | Has issues | |
Completed | 2014-10-16 |
review-ietf-oauth-saml2-bearer-21-secdir-lc-roca-2014-10-16-00
Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. IMHO, the document is almost ready . I just have minor comments: SAML and OAUTH are already covered by extensive, detailed security and privacy considerations sections. I agree with the authors there is no need to duplicate text in the present document. However I have two comments: 1- it is mentioned that replay attack protection is not mandatory, but there is no justification. On the opposite, protection against replay attacks is mentioned at several places in [OASIS.saml-sec-consider-2.0-os] (e.g., 6.1.2, 6.4.5, 6.5.2, 6.5.6, 7.1.1.4). I don’t know to what extent the situation differs, but I’m curious to know why it is so. 2- [OASIS.saml-sec-consider-2.0-os] reference does not include any URL. It’s probably worth to add it. http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf Cheers, Vincent