Skip to main content

Last Call Review of draft-ietf-oauth-security-topics-25
review-ietf-oauth-security-topics-25-artart-lc-housley-2024-02-18-00

Request Review of draft-ietf-oauth-security-topics
Requested revision No specific revision (document currently at 25)
Type Last Call Review
Team ART Area Review Team (artart)
Deadline 2024-02-22
Requested 2024-02-08
Authors Torsten Lodderstedt , John Bradley , Andrey Labunets , Daniel Fett
I-D last updated 2024-02-18
Completed reviews Artart Last Call review of -25 by Russ Housley
Genart Last Call review of -25 by Thomas Fossati
Assignment Reviewer Russ Housley
State Completed
Request Last Call review on draft-ietf-oauth-security-topics by ART Area Review Team Assigned
Posted at https://mailarchive.ietf.org/arch/msg/art/COOxHTC-mAeDuutBJYMNvPm2lrc
Reviewed revision 25
Result Almost ready
Completed 2024-02-18
review-ietf-oauth-security-topics-25-artart-lc-housley-2024-02-18-00
I am the assigned ART-ART reviewer for this draft. Please treat these
comments just like any other last call comments.


Document: draft-ietf-oauth-security-topics-25
Reviewer: Russ Housley
Review Date: 2024-02-18
IETF LC End Date: 2024-02-22
IESG Telechat date: Unknown


Summary: Almost Ready

Major Concerns:

Section 4: Some of the subsections contain MUST, MUST NOT, SHOULD, and
MAY statements.  Given the structure of the document, I expected all of
the words that are defined in RFC 2119 to appear is Section 2, with
discussion of attacks in Section 4.  Please consider lower case words.


Minor Concerns:

Section 1: I recognize that the term "Anti-patterns" is gaining favor,
but I still think that you should provide a brif introduction to the
concept.  Perhaps: Anti-patterns are patterns in software development
that are considered bad programming practices, but they seem to happen
over and over.

Section 2.3: It says:

   ...  If not, the resource server must refuse to
   serve the respective request. ...

The "If not" is ambiguous.  Which aspects of the previous sentence
does this cover?  Part is implemented by the access server and part is
implemented by the resource server.  Can the resource server always
determin whether the "the authorization server associates the access
token with the respective resource and actions"?  Please clarify.

Section 2.5: When is client authentication not possible?  In other
words, under what circumstances does an authorization server
implementer ignore this SHOULD statement?

Section 4.1.1: The text says: "First, the attacker ..."  However, there
is not "Second" or "Then" to go wit the "First".  Please reword.
Perhaps: s/First/To begin/

Section 4.1.2: The text says: "First, the attacker ..."  However, there
is not "Second" or "Then" to go wit the "First".  Please reword.
Perhaps: s/First/To begin/


Nits:

Abstract: Because the Abstract is not allowed to contain references:
          s/[RFC6749], [RFC6750], and [RFC6819]/
           /RFC 6749, RFC 6750, and RFC 6819/
           
Section 1: s/client talks to/client is talking to/

Section 1: s/when feasible/as soon as feasible/

Section 2.5: s/authentication if possible./authentication./

Section 3: s/attacker model/threat model/ (multiple places)

Section 3: s/(wifi)/(Wi-Fi)/

Section 4.4.1: I do not think the bolding in the Variants bullets is
helpful to the reader, especially in the plaintext document.

Section 4.10.1: I do not think the bolding at the send of the section is
helpful to the reader, especially in the plaintext document.