Telechat Review of draft-ietf-oauth-assertions-10

Request Review of draft-ietf-oauth-assertions
Requested rev. no specific revision (document currently at 18)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2013-02-05
Requested 2013-01-25
Authors Brian Campbell, Chuck Mortimore, Michael Jones, Yaron Goland
Draft last updated 2013-02-07
Completed reviews Genart Last Call review of -08 by Vijay Gurbani (diff)
Genart Telechat review of -09 by Vijay Gurbani (diff)
Genart Telechat review of -10 by Vijay Gurbani (diff)
Secdir Last Call review of -08 by Shawn Emery (diff)
Secdir Telechat review of -10 by Shawn Emery (diff)
Opsdir Last Call review of -17 by Mehmet Ersue (diff)
Assignment Reviewer Shawn Emery 
State Completed
Review review-ietf-oauth-assertions-10-secdir-telechat-emery-2013-02-07
Reviewed rev. 10 (document currently at 18)
Review result Ready
Review completed: 2013-02-07


    A new version of this draft has been made, 10, which implicitly
    addresses the concerns that I had brought up during the secdir



    On 12/30/12 12:07 AM, Shawn Emery wrote:

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

This internet-draft describes an assertion framework for the OAuth 2.0 protocol.  Given that
that this is a framework, subsequent drafts would be needed for a deployed mechanism.

The security considerations section does exist and outlines various issues including
impersonation, replay, and privacy.  The section then suggests ways of mitigating these
threats.  This seems sufficient, but can there be more guidance on the Assertion ID to
avoid collision or replay (e.g. length, roll-over, etc.)?

General comments:


Editorial comments:

Redundant wordings, suggested fix:


 An IEFT URN for use as the "XXXX" value can be requested using
 the template in An IETF URN Sub-Namespace for OAuth [




 An IEFT URN for use as the "XXXX" value can be requested using
 the template in [



Shouldn't urn:ietf:params:oauth:grant_type:* be 

s/included yet all/included, yet all/


secdir mailing list

secdir at