Mike Bishop has entered the following ballot position for draft-ietf-oauth-cross-device-security-14: Yes
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- This is a well-done document, and I enjoyed reading it. I do support Roman's DISCUSS about overuse of normative language, and include a very few comments below. # IESG review of draft-ietf-oauth-cross-device-security-14 CC @MikeBishop ## Comments ### Section 3.1.3, paragraph 9 ``` * (F) The Authorization Server issues tokens or grants authorization to the Consumption Device to access the user's resources. ``` I quibble slightly with the direction of this arrow in the diagram, or perhaps with the absence of an extra arrow. Presumably the Consumption Device presents the Authorization Data, which then results in access being granted? (Compare to F/G in the Figure in 3.2.1.) ### Section 5, paragraph 9 ``` if it detects that the same device is used. An authorization server may use techniques such as device fingerprinting, network address or other techniques to detect if a cross-device protocol is being used on the same device. If an implementor decides to use a cross-device ``` NAT might cause this to be misidentified. ## Nits All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. ### Section 10, paragraph 1 ``` Jim Fenton and Bing Liu and others (please let us know, if you've been mistakenly omitted) for their valuable input, feedback and ``` Probably about time to remove the parenthetical. The door is closing. ### Grammar/style #### Section 1.2, paragraph 1 ``` other artifacts that allow them to setup a session and then use it to access ^ ``` artefact -> artifact, one other place as well #### Section 1.2, paragraph 1 ``` other artefacts that allow them to setup a session and then use it to access ^^^^^ ``` The verb "set up" is spelled as two words. The noun "setup" is spelled as one. #### Section 3.1, paragraph 8 ``` mption Device. Note: The use of a 6 digit code is illustrative and reflects ^^^^^^^ ``` When "6-digit" is used as a modifier, it is usually spelled with a hyphen. #### Section 3.3.2, paragraph 1 ``` ransfer Pattern) An employee is signed into an application on their personal ^^^^^^^^^^^ ``` The verb "signed into" is not standard English, except in the context of the law ("The bill was signed into law"). Write "signed in to". For websites and computers, other options are "logged in to" or "logged on to". #### Section 3.3.2, paragraph 1 ``` which results in the user being signed into the application on the mobile p ^^^^^^^^^^^ ``` The verb "signed into" is not standard English, except in the context of the law ("The bill was signed into law"). Write "signed in to". For websites and computers, other options are "logged in to" or "logged on to". #### Section 4.1.1, paragraph 3 ``` quest and thereby convince them to granting authorization. The social enginee ^^^^^^^^ ``` The verb after "to" should be in the base form as part of the to-infinitive. A verb can take many forms, but the base form is always used in the to-infinitive. #### Section 4.1.2, paragraph 3 ``` for users and convincing users to providing them with authorization data sent ^^^^^^^^^ ``` The verb after "to" should be in the base form as part of the to-infinitive. A verb can take many forms, but the base form is always used in the to-infinitive. #### Section 4.2, paragraph 2 ``` ed Session Pattern) These exploits applies to the use case described in Secti ^^^^^^^ ``` You should probably use "apply". #### Section 5, paragraph 7 ``` network. Though physically in close proximity, they don't share a network, s ^^^^^^^^^^^^^^^ ``` This phrase is a bit redundant. Consider using just "proximity". #### Section 5, paragraph 8 ``` can be established by comparing geo-location information derived from global ^^^^^^^^^^^^ ``` This word is normally spelled as one. #### Section 6.1, paragraph 4 ``` duced by making QR or user codes short lived. If an attacker obtains a short ^^^^^^^^^^^ ``` This word is normally spelled with a hyphen. #### Section 6.1, paragraph 4 ``` lived. If an attacker obtains a short lived code, the duration during which ^^^^^^^^^^^ ``` This word is normally spelled with a hyphen. #### Section 6.1.1, paragraph 1 ``` cks counter the effectiveness of short lived codes by convincing a user to re ^^^^^^^^^^^ ``` This word is normally spelled with a hyphen. #### Section 6.1.1, paragraph 1 ``` ency requirements, in which case short lived tokens may be more practical. O ^^^^^^^^^^^ ``` This word is normally spelled with a hyphen. #### Section 6.1.1, paragraph 2 ``` the same code to be presented a small number of times. 6.1.4. Unique Codes ^^^^^^^^^^^^^^^^^ ``` Specify a number, remove phrase, use "a few", or use "some". #### Section 6.1.1, paragraph 3 ``` al to the lifetime of a token if short lived/timebound tokens are used (see S ^^^^^^^^^^^ ``` This word is normally spelled with a hyphen. #### Section 6.1.1, paragraph 5 ``` tion endpoint (see [RFC7662]). In addition it may notify resource servers to ^^^^^^^^ ``` A comma may be missing after the conjunctive/linking adverb "addition". #### Section 6.1.3, paragraph 2 ``` they are using a trusted device. Short lived tokens do not prevent or disrupt ^^^^^^^^^^^^ ``` This word is normally spelled with a hyphen. #### Section 6.1.6, paragraph 1 ``` key, even if it is in hardware. Consequently the main protection derived from ^^^^^^^^^^^^ ``` A comma may be missing after the conjunctive/linking adverb "Consequently". #### Section 6.1.17, paragraph 1 ``` as a roaming authenticator for signing into the primary device, such as a p ^^^^^^^^^^^^ ``` The verb "signing into" is not standard English, except in the context of the law ("The bill was signed into law"). Write "signing in to". For websites and computers, other options are "logging in to" or "logging on to". #### Section 6.2.2.3, paragraph 1 ``` 2020], Pernpruner et al. formally analysed an authentication protocol relyin ^^^^^^^^ ``` Do not mix variants of the same word ("analyse" and "analyze") within a single text. #### Section 6.2.3.2, paragraph 1 ``` ess these attacks, we propose a three pronged approach that includes the depl ^^^^^^^^^^^^^ ``` This word is normally spelled with a hyphen. #### Section 6.2.3.4, paragraph 1 ``` g Liu and others (please let us know, if you've been mistakenly omitted) for ^^^^ ``` If " if" starts an indirect question, you do not need to put a comma before it. _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
