Last Call Review of draft-ietf-oauth-saml2-bearer-21
review-ietf-oauth-saml2-bearer-21-secdir-lc-roca-2014-10-16-00

Hello,

I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors. Document editors and WG chairs should treat

these comments just like any other last call comments.

IMHO, the document is 

almost ready

. I just have minor comments:

SAML and OAUTH are already covered by extensive, detailed security and privacy 

considerations sections.

I agree with the authors there is no need to duplicate text in the present document.

However I have two comments:

1- it is mentioned that replay attack protection is not mandatory, but there is no

justification. On the opposite, protection against replay attacks is mentioned at

several places in [OASIS.saml-sec-consider-2.0-os] (e.g., 6.1.2, 6.4.5, 6.5.2, 6.5.6,

7.1.1.4). I don’t know to what extent the situation differs, but I’m curious to know

why it is so.

2- [OASIS.saml-sec-consider-2.0-os] reference does not include any URL. It’s probably

worth to add it.

 

http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf

Cheers,

  Vincent