My comments:
1) Figure 3: Resource server in the response could also generate Signature/MAC
to prove the client that it is in possession of cryptographic keying material.
2) Section 3.2:
Will new HTTP headers be defined in one of the PoP drafts for the application
layer to carry the TLS channel binding information ?
3)Section 3.3: It is covering various attack scenarios except active,
man-in-middle attack.
4)Why only discuss TLS and not DTLS ?
5)Section 3.4: Enterprise networks, ISP etc. may also deploy HTTP(S) proxy.
6)Please explain scenarios in which using asymmetric cryptography is better
suited for PoP than using symmetric cryptography.
7)I don't see any discussion on HMAC algorithm negotiation b/w the client and
resource server.
It may help to define mandatory to implement and default algorithms.
8)Protocols like Dynamic Symmetric Key Provisioning Protocol (DSKPP) (RFC6063)
could be considered for long-term secret b/w the AS and RS.
9)Nit> Figure 4: Add arrows for (V) and (IV)
10) AS-to-RS Relationship Anonymity:
This MAC Token security does not provide AS-to-RS relationship
anonymity since the client has to inform the resource server about
the resource server it wants to talk to.
Nit> I think you meant "inform the authorization server about the resource
server it wants to talk to"
Cheers,
-Tiru
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
