Last Call Review of draft-ietf-tokbind-protocol-16
review-ietf-tokbind-protocol-16-secdir-lc-nir-2017-11-24-00
| Request | Review of | draft-ietf-tokbind-protocol |
|---|---|---|
| Requested revision | No specific revision (document currently at 19) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2017-11-27 | |
| Requested | 2017-11-13 | |
| Authors | Andrei Popov , Magnus Nyström , Dirk Balfanz , Adam Langley , Jeff Hodges | |
| I-D last updated | 2017-11-24 | |
| Completed reviews |
Genart Last Call review of -16
by Jouni Korhonen
(diff)
Secdir Last Call review of -16 by Yoav Nir (diff) Opsdir Last Call review of -16 by Victor Kuarsingh (diff) Artart Telechat review of -17 by Matthew A. Miller (diff) |
|
| Assignment | Reviewer | Yoav Nir |
| State | Completed | |
| Request | Last Call review on draft-ietf-tokbind-protocol by Security Area Directorate Assigned | |
| Reviewed revision | 16 (document currently at 19) | |
| Result | Ready | |
| Completed | 2017-11-24 |
review-ietf-tokbind-protocol-16-secdir-lc-nir-2017-11-24-00
The document seems ready with two minor editorial nits: 1. The first sentence is as follows: Often, servers generate various security tokens (e.g. HTTP cookies, OAuth [RFC6749] tokens) If you reference the OAuth RFC, you should also reference the HTTP cookie RFC (RFC 6265) 2. The term "bound token" appears in section 2 without any definition. Perhaps add something like "An application token contained in a token binding message is called a bound token" Other than that, the document is well written and the security issues are dealt with well in sections 4 and 5 as well as the security considerations section (7).