Last Call Review of draft-ietf-sipcore-sip-token-authnz-12
review-ietf-sipcore-sip-token-authnz-12-secdir-lc-piper-2020-04-14-00

Reviewer: Derrell Piper
Review result: Ready With Nits

I reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents entering the IESG.  These comments
are directed at the security area director(s).  Document editors and WG
chairs should treat these comments like any other last call comments.

This document defines a third-party token authentication scheme for
authentication to SIP services using "bearer" tokens from the OAuth 2.0
framework and the OpenID Connect Core 1.0 to support native application
assisted (or proxy-based) token-based authentication and authorization.

pp. 3, 1., nit

"...enables the single-sign-on features, which allows the user to..."

"...enables single sign-on, which allows the user to..."

pp. 5, last sentence

"previously" means "from the out-of-scope mechanism", just say that.

pp. 7, 2.1.1

"(or with invalid credentials)"

Why continue when a UAC presents invalid credentials?  [See below.]

pp. 8, 2.1.3

2.1.1 says if you get invalid credentials to go REGISTER, and here in
REGISTER, it says if you get invalid credentials, go to 2.1.1.  This
seems recursive though I'm assuming this ultimately terminates when all
the schemes are exhausted without success.

Derrell