Discussion:
[OAUTH-WG] AD review of draft-ietf-oauth-amr-values
Kathleen Moriarty
2016-10-28 18:50:42 UTC
Permalink
Hello,

I reviewed draft-ietf-oauth-amr-values and have a few comments. First,
thanks for your work on this draft!

Several of the authentication methods mentioned are typically used (or
recommended for use) as a second or third factor. I see in section 3 that
multiple methods can be contained in the claim. I'd like to see an example
of single and multiple authentication methods being represented. Was it a
WG decision to leave out examples?

In the Privacy considerations section, I think it should be made clear that
the actual credentials are not part of this specification to avoid
additional privacy concerns for biometric data.

Section 5, shouldn't a pointer be here to the attacks on OAuth 2.0 as well?


Thank you.
--
Best regards,
Kathleen
Mike Jones
2016-11-14 07:29:21 UTC
Permalink
Thanks for your review, Kathleen. Draft -04 has been published to address these comments. Actions taken are described inline.

-- Mike

From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of Kathleen Moriarty
Sent: Saturday, October 29, 2016 3:51 AM
To: ***@ietf.org
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-amr-values

Hello,

I reviewed draft-ietf-oauth-amr-values and have a few comments. First, thanks for your work on this draft!

Several of the authentication methods mentioned are typically used (or recommended for use) as a second or third factor. I see in section 3 that multiple methods can be contained in the claim. I'd like to see an example of single and multiple authentication methods being represented. Was it a WG decision to leave out examples?

· Added “amr” claim examples with both single and multiple values.

In the Privacy considerations section, I think it should be made clear that the actual credentials are not part of this specification to avoid additional privacy concerns for biometric data.

· Clarified that the actual credentials referenced are not part of this specification to avoid additional privacy concerns for biometric data.

Section 5, shouldn't a pointer be here to the attacks on OAuth 2.0 as well?

· Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to applications using this specification.


Thank you.
--
Best regards,
Kathleen
Kathleen Moriarty
2016-11-14 07:37:13 UTC
Permalink
Thanks, Mike.

I'll look at the shepherd report and see if it is ready to start last call.

Best regards,
Kathleen
Post by Mike Jones
Thanks for your review, Kathleen. Draft -04 has been published to address
these comments. Actions taken are described inline.
-- Mike
Moriarty
*Sent:* Saturday, October 29, 2016 3:51 AM
*Subject:* [OAUTH-WG] AD review of draft-ietf-oauth-amr-values
Hello,
I reviewed draft-ietf-oauth-amr-values and have a few comments. First,
thanks for your work on this draft!
Several of the authentication methods mentioned are typically used (or
recommended for use) as a second or third factor. I see in section 3 that
multiple methods can be contained in the claim. I'd like to see an example
of single and multiple authentication methods being represented. Was it a
WG decision to leave out examples?
· Added “amr” claim examples with both single and multiple values.
In the Privacy considerations section, I think it should be made clear
that the actual credentials are not part of this specification to avoid
additional privacy concerns for biometric data.
· Clarified that the actual credentials referenced are not part of
this specification to avoid additional privacy concerns for biometric data.
Section 5, shouldn't a pointer be here to the attacks on OAuth 2.0 as well?
· Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to
applications using this specification.
Thank you.
--
Best regards,
Kathleen
--
Best regards,
Kathleen
Loading...