[Last-Call] Re: Artart last call review of draft-ietf-oauth-browser-based-apps-22

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks for your review, Marc, we've published a new version addressing your feedback.

https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-23.html

You can also see the more detailed commits and discussion on GitHub:
https://github.com/oauth-wg/oauth-browser-based-apps/issues/72

Responses inline:

On Mon, Feb 3, 2025 at 8:00 AM Marc Blanchet via Datatracker <noreply@xxxxxxxx> wrote:
Reviewer: Marc Blanchet
Review result: Ready with Nits

I've reviewed this document as an assigned ART reviewer. I'm not an expert in
Oauth. I haven't seen any issue from the perspective of ART or i18n. I found
this document comprehensive and detailed and useful for application architects
and developers.

I have the following comments.

Substantive:
- On my reading, it seems that the only foundation threat here is the ability
for the attacker to inject malicious code. Okay. If this is the case, I think
this should be pointed out clearly at the beginning of the document.

That is correct, this is now better explained in the intro to the threats in Section 5.
 
- On my
reading, I see that this document discusses two topics: security issues and
best practices for browser based apps that are using any kind of authentication
mechanism and specific ones when using Oauth. I'm wondering if a) we already
have any document that already describes the generic issues, in which case, we
should refer or update;  b) if we don't have, given that a lot of this document
is valuable for issues not specifically related to Oauth, that we could split
the document in two: one for non-Oauth issues and then having the second one
strictly on Oauth specific issues. That way, the first one can be referenced by
non-Oauth work. Having said that, that suggestion may have been discussed
already in the working group or may not make sense for reasons I don't know.
Please discard if it does not make sense.

This has been clarified in Section 5, the intent is to discuss things specifically in relation to OAuth, not general browser security recommendations.
 

Editorial:
- Section 4. expand PKCE on first use and add reference. That expansion is done
later in document in section 6.3.2.1, so then remove that expansion there. -
DPoP similarly

References have been added throughout.
 
-- 
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux