This document is informational and describes the threat model and
security counter measures for OAuth 2.0 (about the scope see Comment 1).
Although informational it includes a lot of pieces of information useful
for operators, as well as recommendations on actions that need to be
taken by operators, or recommendations or education that needs to be
made to users in order to ensure a secure environment. Some more clarity
on what are the operators responsibilities vs. design recommendations
would have helped, but overall it's a good document.
Specific comments:
1. The relation between this document, OAuth 1.0 (RFC 5849) and OAuth
2.0 is not clear. In the Introduction we find:
This document gives additional security considerations for OAuth,
beyond those in the OAuth specification, based on a comprehensive
threat model for the OAuth 2.0 Protocol [I-D.ietf-oauth-v2].
(would be good to provide a referent for the 'OAuth specification' -
probably RFC 5489)
but then says the document
- Gives a comprehensive threat model for OAuth and describes the
respective counter measures to thwart those threats.
So is the scope of the document the threats beyond what is described in
OAuth 1.0, or all the threats?
In any of the two cases some additional text is needed to clarify the
Scope.
2. The countermeasures to threats described in Section 5 can be divided
into several categories - user actions, operator actions, design
measures. Operators are typically responsible on some of them, and may
make recommendations to users on other. It would have been useful to
mark these accordingly, or maybe to include in Section 5 a table that
shows to what category/ies each measure belongs. For operators this
would have eased detecting the specific actions and recommendations to
users that concern them.
3. The OAuth and OAuth 2.0 documents need to be Normative References.
One cannot understand this document without understanding OAuth.
Regards,
Dan
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
