Last Call Review of draft-ietf-tokbind-protocol-16

Request Review of draft-ietf-tokbind-protocol
Requested rev. no specific revision (document currently at 19)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-11-27
Requested 2017-11-13
Other Reviews Genart Last Call review of -16 by Jouni Korhonen (diff)
Opsdir Last Call review of -16 by Victor Kuarsingh (diff)
Artart Telechat review of -17 by Matthew Miller (diff)
Review State Completed
Reviewer Yoav Nir
Review review-ietf-tokbind-protocol-16-secdir-lc-nir-2017-11-24
Posted at
Reviewed rev. 16 (document currently at 19)
Review result Ready
Draft last updated 2017-11-24
Review completed: 2017-11-24


The document seems ready with two minor editorial nits:

1. The first sentence is as follows:
  Often, servers generate various security tokens (e.g.  HTTP cookies, OAuth [RFC6749] tokens)
  If you reference the OAuth RFC, you should also reference the HTTP cookie RFC (RFC 6265)

2. The term "bound token" appears in section 2 without any definition. Perhaps add something like "An application token contained in a token binding message is called a bound token"

Other than that, the document is well written and the security issues are dealt with well in sections 4 and 5 as well as the security considerations section (7).