Last Call Review of draft-ietf-tokbind-protocol-16

Request Review of draft-ietf-tokbind-protocol
Requested rev. no specific revision (document currently at 19)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-11-27
Requested 2017-11-13
Authors Andrey Popov, Magnus Nystrom, Dirk Balfanz, Adam Langley, Jeff Hodges
Draft last updated 2017-11-24
Completed reviews Genart Last Call review of -16 by Jouni Korhonen (diff)
Secdir Last Call review of -16 by Yoav Nir (diff)
Opsdir Last Call review of -16 by Victor Kuarsingh (diff)
Artart Telechat review of -17 by Matthew Miller (diff)
Assignment Reviewer Yoav Nir
State Completed
Review review-ietf-tokbind-protocol-16-secdir-lc-nir-2017-11-24
Reviewed rev. 16 (document currently at 19)
Review result Ready
Review completed: 2017-11-24


The document seems ready with two minor editorial nits:

1. The first sentence is as follows:
  Often, servers generate various security tokens (e.g.  HTTP cookies, OAuth [RFC6749] tokens)
  If you reference the OAuth RFC, you should also reference the HTTP cookie RFC (RFC 6265)

2. The term "bound token" appears in section 2 without any definition. Perhaps add something like "An application token contained in a token binding message is called a bound token"

Other than that, the document is well written and the security issues are dealt with well in sections 4 and 5 as well as the security considerations section (7).