Last Call Review of draft-ietf-oauth-amr-values-04

Request Review of draft-ietf-oauth-amr-values
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-12-13
Requested 2016-11-29
Authors Michael Jones, Phil Hunt, Anthony Nadalin
Draft last updated 2016-12-08
Completed reviews Secdir Last Call review of -04 by Catherine Meadows (diff)
Genart Last Call review of -04 by Paul Kyzivat (diff)
Opsdir Last Call review of -04 by Linda Dunbar (diff)
Genart Telechat review of -05 by Paul Kyzivat (diff)
Assignment Reviewer Catherine Meadows
State Completed
Review review-ietf-oauth-amr-values-04-secdir-lc-meadows-2016-12-08
Reviewed rev. 04 (document currently at 08)
Review result Ready
Review completed: 2016-12-08


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document establishes a registry for Authentication Method Reference (amr) values used by the OpenID protocol and defines an initial set of such values.   The amr claim is already defined and registered
in IANA; this document serves to implement it.  The amr provides a field in which information about the type of authentication being used is provided, using the amr values.

The authors of the document address both security and privacy concerns,  The privacy concern is that the amr claim provides information about the form of authentication used, which could have
privacy implications in some cases, and that this document does not provide any guidance as to how privacy-relevant credentials, such as biometric information, are stored and protected.  As the authors
point out, the latter is beyond the scope of the document.  

The security concerns are mainly derived from those  of the OpenID protocol.  The authors also warn that amr may be more brittle than another related claim, acr, since acr provides information about
whether a particular set of business rules were satisfied, while acm only tells you whether a particular type of authentication was used.  This could lead to a policy that relies on particular forms of authentication,
which would be harder to update as security needs change.  

I think that the authors have done a good job of addressing security and privacy concerns, and I don’t see any issues here. I consider this document ready.

Cathy Meadows

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: <>