Last Call Review of draft-ietf-oauth-spop-11

Request Review of draft-ietf-oauth-spop
Requested rev. no specific revision (document currently at 15)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2015-06-09
Requested 2015-05-24
Authors Nat Sakimura, John Bradley, Naveen Agarwal
Draft last updated 2015-06-11
Completed reviews Genart Last Call review of -11 by Alexey Melnikov (diff)
Secdir Last Call review of -11 by Ben Laurie (diff)
Opsdir Last Call review of -11 by Melinda Shore (diff)
Assignment Reviewer Melinda Shore
State Completed
Review review-ietf-oauth-spop-11-opsdir-lc-shore-2015-06-11
Reviewed rev. 11 (document currently at 15)
Review result Ready
Review completed: 2015-06-11


I have reviewed this document as part of the Operational directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These  comments were written with the intent of improving the
operational aspects of the  IETF drafts. Comments that are not
addressed in last call may be included in AD reviews
during the IESG review.  Document editors and WG chairs should treat
these comments just like any other last call comments.


This document is ready, with very minor issues.  It does not appear to
introduce new management/manageability considerations.

This document describes a challenge-response mechanism to protect
against an OAuth authorization code being intercepted by an attacker,
when that authorization code is sent in the clear.  The authorization
code is used to acquire an access token and must be protected.  This
attack (an attacker using an intercepted authz code to acquire an
access token) has been observed in the wild.

We are astonished to learn that OAuth is being run over an
unencrypted channel.

However, given that it is, this is a reasonable defense mechanism.


Why is S256 RECOMMENDED and not a MUST?


ASCII(STRING) does not appear to be used in the protocol grammar?