Thanks for your review, Stephen. Replies inline below... > -----Original Message----- > From: Stephen Farrell [mailto:[email protected]] > Sent: Thursday, December 17, 2015 12:45 PM > To: The IESG <[email protected]> > Cc: [email protected]; [email protected]; > [email protected]; [email protected] > Subject: Stephen Farrell's No Objection on draft-ietf-oauth-proof-of- > possession-10: (with COMMENT) > > Stephen Farrell has entered the following ballot position for > draft-ietf-oauth-proof-of-possession-10: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > - Figure 1 and the discussion thereof: you talk all the time here about "a > symmetric key" so I think you ought add a footnote like bit of text that says > something like "note that there ought be more than one key involved here, > derived from the key exchanged at (0) via a KDF." I kinda wish that all that > had been covered in one document but I guess that's part of the PoP arch > doc, which is for later.
Sounds good > - 3.1 says "outside the scope of this specification": just wondering - does > that > phrase occur in all OAuth RFCs? (only kidding, honest:-) ;-) > - section 4, para 2: replay can also be avoided if a sub-key is derived from a > shared secret that is specific to the instance of the PoP demonstration. Good - will add > - section 6: DE guidance - I think we ought tell the DEs that the > specification > of a new thing needs to explicitly describe the security properties of using > the > new thing. OK > - I didn't see a response to the secdir review [1] but that was maybe sent to > the wrong places. > > [1] https://www.ietf.org/mail-archive/web/secdir/current/msg06266.html Thanks for pointing this out. My mail system had helpfully sorted this note in to my Clutter folder. :-/ I'll send a reply shortly. -- Mike _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
