Last Call Review of draft-ietf-oauth-spop-11
review-ietf-oauth-spop-11-opsdir-lc-shore-2015-06-11-00
Request | Review of | draft-ietf-oauth-spop |
---|---|---|
Requested revision | No specific revision (document currently at 15) | |
Type | Last Call Review | |
Team | Ops Directorate (opsdir) | |
Deadline | 2015-06-09 | |
Requested | 2015-05-24 | |
Authors | Nat Sakimura , John Bradley , Naveen Agarwal | |
I-D last updated | 2015-06-11 | |
Completed reviews |
Genart Last Call review of -11
by Alexey Melnikov
(diff)
Secdir Last Call review of -11 by Ben Laurie (diff) Opsdir Last Call review of -11 by Melinda Shore (diff) |
|
Assignment | Reviewer | Melinda Shore |
State | Completed | |
Request | Last Call review on draft-ietf-oauth-spop by Ops Directorate Assigned | |
Reviewed revision | 11 (document currently at 15) | |
Result | Ready | |
Completed | 2015-06-11 |
review-ietf-oauth-spop-11-opsdir-lc-shore-2015-06-11-00
I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: This document is ready, with very minor issues. It does not appear to introduce new management/manageability considerations. This document describes a challenge-response mechanism to protect against an OAuth authorization code being intercepted by an attacker, when that authorization code is sent in the clear. The authorization code is used to acquire an access token and must be protected. This attack (an attacker using an intercepted authz code to acquire an access token) has been observed in the wild. We are astonished to learn that OAuth is being run over an unencrypted channel. However, given that it is, this is a reasonable defense mechanism. Questions: Why is S256 RECOMMENDED and not a MUST? Nits: ASCII(STRING) does not appear to be used in the protocol grammar? Melinda