I am finally taking time to read the spec. First, I would commend the UMAtarians for coming out with this new draft, which looks much better than 1.0.

Having said that, there are a few questions that I have and your response will be much appreciated to form my opinion for the voting.

Q.1 `claims_redirect_uri` seems to be optional sometimes, and does not seem to require it to be unique per AS. Client ID by itself is not globally unique and to prevent mix-up attack, the security recommendation is to have something that scopes the Client ID to the AS. In case of the RFC6749, that is `redirect_uri` and it needs to be unique per AS if the client talks to multiple authorization servers. In UMA 2.0, `redirect_uri` is replaced by `claims_redirect_uri` but since it is optional and does not have the uniqueness qualification, it seems to leave an attack surface there. Was there any conscious reason for leaving this attack surface out?

Q.2 `state` is recommended in RFC6749, but that has to be taken with a grain of salt. It is only ok to be optional if there is any other provisions that takes care of the CSRF, e.g., `nonce` in OpenID Connect. The `state` parameter was RECOMMENDED in RFC6749 to allow these explicit provisions by the profiles of RFC6749. My question is this: what is the specific anti-CSRF provision in UMA 2.0 so that we can leave the `state` as RECOMMENDED? If there is not, then it is better to make it a MUST. The security considerations talks a bit about it but it is all "SHOULD". I feel that being a bit more prescriptive would be a good idea for the internet hygiene. Let me know what was the reasoning behind.

Q.3 It is a version two of the protocol. However, I do not see the version identifier in the messages. I am assuming that the messages are different enough from ver. 1.0 so that there will be no confusion, but want to check if it is so. (In general, I prefer to have an explicit version identifier except for the initial version to avoid the message confusion attack variants.)

Best,

Nat Sakimura

PLEASE READ :This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail.


---------
From: WG-UMA [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Eve Maler
Sent: Tuesday, November 28, 2017 7:34 AM
To: wg-uma@kantarainitiative.org WG <wg-uma@kantarainitiative.org>
Subject: [WG-UMA] URGENT: The UMA 2.0 specifications are now in Kantara All-Member Ballot

I'm pleased to report that the Draft Recommendations, which our WG approved to progress to the LC, and which the LC certified in a very efficient amount of time, have been put into All-Member Ballot by Kantara staff in a likewise extremely efficient manner. Special thanks to Andrew Hughes and Megan Cannon for their assistance!

I have prepared a Get Out The vote (GOTV) Google spreadsheet to help us reach out to Kantara members and member reps individually, to make the best use of this two-week balloting period. It will go by FAST. I invite you all to please help by going into the spreadsheet (I will share with any WG participant who requests access), filling in Kantara member/rep names, and -- especially -- marking yourself down as a "champion" to reach out personally to ask these people ASAP to vote YES on the ballot. There are tabs in the spreadsheet that even suggest email template text to make things extra easy. ;)

By the way, several Kantara individual members are also UMA WG participants, and I will be dropping each of you a note shortly!

Thank you -- please do take action on this as soon as you can, because the ballot runs from today only until DECEMBER 11!

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl