Last Call Review of draft-ietf-tokbind-protocol-16
review-ietf-tokbind-protocol-16-opsdir-lc-kuarsingh-2017-11-27-00

Request Review of draft-ietf-tokbind-protocol
Requested rev. no specific revision (document currently at 19)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2017-11-27
Requested 2017-11-13
Other Reviews Genart Last Call review of -16 by Jouni Korhonen (diff)
Secdir Last Call review of -16 by Yoav Nir (diff)
Artart Telechat review of -17 by Matthew Miller (diff)
Review State Completed
Reviewer Victor Kuarsingh
Review review-ietf-tokbind-protocol-16-opsdir-lc-kuarsingh-2017-11-27
Posted at https://mailarchive.ietf.org/arch/msg/ops-dir/rhRjzgBjZg6ZBUxhFYDwSlnJs68
Reviewed rev. 16 (document currently at 19)
Review result Ready
Draft last updated 2017-11-27
Review completed: 2017-11-27

Review
review-ietf-tokbind-protocol-16-opsdir-lc-kuarsingh-2017-11-27

Dear Authors,

<< NOTE: Resending for ops-dir list as I made type on draft title on
last email , please ignore, but I need this mail archive to complete
review correctly >>

I have reviewed this document as part of the Operational directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written with the intent of improving the
operational aspects of the IETF drafts. Comments that are not
addressed in last call may be included in AD reviews during the IESG
review.  Document editors and WG chairs should treat these comments
just like any other last call comments.

Document Reviewed - The Token Binding Protocol Version 1.0

Link to Document - https://tools.ietf.org/html/draft-ietf-tokbind-protocol-16

Summary:

This document specifies specifies an initial version of a Token
Binding Protocol (version 1.0).  The basic objective of the protocol
is to allow applications to create and utilize long lived TLS bindings
across multiple sessions/connection.  The goal is to provide added
security to client/server communications.

General Comments and Feedback:


The document is well written and describes the protocol well.  During
the review of the document, I did not find specific gaps or issues as
part of an ops focused review.  Key operational considerations are
well captured and describe din section 7 (security considerations
section).


Based on my review, I have no material points to add and note the
document appears ready for publication - notwithstanding any other
area reviews which may find issues to be addressed.


In line text review follow

Text Review


<< Abstract >>
- ok

<< Introduction >>

< P1 >

Suggested replacement "Often, servers generate various security
tokens...." with " Servers often generate various security tokens..."

<< Token Binding Protocol Overview >>

- ok

<< Token Binding Protocol Message >>


- ok


<< TokenBinding.tokenbinding_type >>

- ok

<< TokenBinding.tokenbindingid >>

- ok

<< TokenBinding.signature >>

- ok

<< TokenBinding.extensions >>

- ok

<< Establishing a Token Binding >>


<< Client Processing Rules >>

- ok

<< Server Processing Rules >>

- ok

<< Bound Security Token Creation and Validation >>

- ok

<< IANA Considerations >>

- ok

<< Token Binding Key Parameters Registry >>

- ok

<< Token Binding Types Registry >>

- ok

<< Token Binding Extensions Registry >>

- ok

<< Registration of Token Binding TLS Exporter Label >>

- ok

<< Security Considerations >>

- ok

<< Security Token Replay >>

- ok

<< Downgrade Attacks >>

- ok

<< Privacy Considerations >>

- ok

<< Token Binding Key Sharing Between Applications >>

- ok

<< Triple Handshake Vulnerability in TLS 1.2 and Older TLS Versions >>

- ok