> 1. The relation between this document, OAuth 1.0 (RFC 5849) and OAuth > 2.0 is not clear. In the Introduction we find: > > This document gives additional security considerations for OAuth, > beyond those in the OAuth specification, based on a comprehensive > threat model for the OAuth 2.0 Protocol [I-D.ietf-oauth-v2]. > > (would be good to provide a referent for the 'OAuth specification' - > probably RFC 5489)
It does have a citation, right there: [I-D.ietf-oauth-v2]. That is the OAuth specification. I suppose we could move the citation to be after the word "specification", though no one else has been confused by this. > but then says the document > > - Gives a comprehensive threat model for OAuth and describes the > respective counter measures to thwart those threats. > > So is the scope of the document the threats beyond what is described in > OAuth 1.0, or all the threats? It has nothing to do with OAuth 1.0, and I don't think it says that anywhere. It's OAuth 2.0, as noted in the citation. It expands on what's in the Security Considerations of the OAuth spec, and covers threats that are not described there as well. The OAuth spec has an informative reference to this document. > In any of the two cases some additional text is needed to clarify the > Scope. > > 2. The countermeasures to threats described in Section 5 can be divided > into several categories - user actions, operator actions, design > measures. Operators are typically responsible on some of them, and may > make recommendations to users on other. It would have been useful to > mark these accordingly, or maybe to include in Section 5 a table that > shows to what category/ies each measure belongs. For operators this > would have eased detecting the specific actions and recommendations to > users that concern them. I'll leave this for the authors. > 3. The OAuth and OAuth 2.0 documents need to be Normative References. > One cannot understand this document without understanding OAuth. By the first, I presume you're talking about RFC 5849, and this document has nothing whatever to do with that, and makes no claim to. For the other, you're right, and I missed this in my shepherd review. The authors appear to have made the mistake of thinking that all references from an Informational document are informative. Authors, have a look at the references and figure out which ones are central to the understanding of this document. Make those normative references. At the least, [I-D.ietf-oauth-v2] should be normative. Barry, document shepherd _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
