Last Call Review of draft-ietf-ace-oauth-params-06
review-ietf-ace-oauth-params-06-secdir-lc-kaufman-2019-12-24-00

Request Review of draft-ietf-ace-oauth-params
Requested rev. no specific revision (document currently at 13)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2019-12-13
Requested 2019-11-29
Authors Ludwig Seitz
Draft last updated 2019-12-24
Completed reviews Secdir Last Call review of -06 by Charlie Kaufman (diff)
Genart Last Call review of -06 by Elwyn Davies (diff)
Assignment Reviewer Charlie Kaufman
State Completed
Review review-ietf-ace-oauth-params-06-secdir-lc-kaufman-2019-12-24
Posted at https://mailarchive.ietf.org/arch/msg/secdir/KaYEiThsRWP6K3QZ4OPIT8TFL84
Reviewed rev. 06 (document currently at 13)
Review result Has Nits
Review completed: 2019-12-12

Review
review-ietf-ace-oauth-params-06-secdir-lc-kaufman-2019-12-24

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document only exists because of a scheduling issue between the ACE and OAUTH working groups. The ACE working group needed some additional OAUTH extensions added more quickly that the OAUTH group could manage to do it. This document is intended to only exist until the OAUTH group can make the corresponding changes. As such, it really doesn't have security considerations beyond those in the document it modifies.

The security considerations section says (and I agree):

This document is an extension to [I-D.ietf-ace-oauth-authz]. All security considerations from that document apply here as well.

Some acronyms that were not defined (but this might be OK in the context of this being a modification to another document): AS, RS, CoAP, cnf, CBOR, pop, CWT


A few typos / odd phrasing:

Abstract: whishes -> wishes
Appendix A: possesion -> possession

>From Section 2:
Note that the term "endpoint" is used here following its OAuth 2.0 [RFC6749] definition, which is to denote resources such as token and introspection at the AS and authz-info at the RS.

Really? The term "endpoint" refers to tokens and authz-info data structures? This seems unlikely.

Continuing in Section 2:
The CoAP [RFC7252] definition, which is "An entity participating in the CoAP protocol" is not used in this specification.

Why is a definition that does not apply relevant to this document?