Last Call Review of draft-ietf-tokbind-protocol-16
review-ietf-tokbind-protocol-16-opsdir-lc-kuarsingh-2017-11-27-00
| Request | Review of | draft-ietf-tokbind-protocol |
|---|---|---|
| Requested revision | No specific revision (document currently at 19) | |
| Type | Last Call Review | |
| Team | Ops Directorate (opsdir) | |
| Deadline | 2017-11-27 | |
| Requested | 2017-11-13 | |
| Authors | Andrei Popov , Magnus Nyström , Dirk Balfanz , Adam Langley , Jeff Hodges | |
| I-D last updated | 2017-11-27 | |
| Completed reviews |
Genart Last Call review of -16
by Jouni Korhonen
(diff)
Secdir Last Call review of -16 by Yoav Nir (diff) Opsdir Last Call review of -16 by Victor Kuarsingh (diff) Artart Telechat review of -17 by Matthew A. Miller (diff) |
|
| Assignment | Reviewer | Victor Kuarsingh |
| State | Completed | |
| Request | Last Call review on draft-ietf-tokbind-protocol by Ops Directorate Assigned | |
| Reviewed revision | 16 (document currently at 19) | |
| Result | Ready | |
| Completed | 2017-11-27 |
review-ietf-tokbind-protocol-16-opsdir-lc-kuarsingh-2017-11-27-00
Dear Authors, << NOTE: Resending for ops-dir list as I made type on draft title on last email , please ignore, but I need this mail archive to complete review correctly >> I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. Document Reviewed - The Token Binding Protocol Version 1.0 Link to Document - https://tools.ietf.org/html/draft-ietf-tokbind-protocol-16 Summary: This document specifies specifies an initial version of a Token Binding Protocol (version 1.0). The basic objective of the protocol is to allow applications to create and utilize long lived TLS bindings across multiple sessions/connection. The goal is to provide added security to client/server communications. General Comments and Feedback: The document is well written and describes the protocol well. During the review of the document, I did not find specific gaps or issues as part of an ops focused review. Key operational considerations are well captured and describe din section 7 (security considerations section). Based on my review, I have no material points to add and note the document appears ready for publication - notwithstanding any other area reviews which may find issues to be addressed. In line text review follow Text Review << Abstract >> - ok << Introduction >> < P1 > Suggested replacement "Often, servers generate various security tokens...." with " Servers often generate various security tokens..." << Token Binding Protocol Overview >> - ok << Token Binding Protocol Message >> - ok << TokenBinding.tokenbinding_type >> - ok << TokenBinding.tokenbindingid >> - ok << TokenBinding.signature >> - ok << TokenBinding.extensions >> - ok << Establishing a Token Binding >> << Client Processing Rules >> - ok << Server Processing Rules >> - ok << Bound Security Token Creation and Validation >> - ok << IANA Considerations >> - ok << Token Binding Key Parameters Registry >> - ok << Token Binding Types Registry >> - ok << Token Binding Extensions Registry >> - ok << Registration of Token Binding TLS Exporter Label >> - ok << Security Considerations >> - ok << Security Token Replay >> - ok << Downgrade Attacks >> - ok << Privacy Considerations >> - ok << Token Binding Key Sharing Between Applications >> - ok << Triple Handshake Vulnerability in TLS 1.2 and Older TLS Versions >> - ok