[Captive-portals] Martin Duke's Discuss on draft-ietf-capport-api-07: (with DISCUSS and COMMENT)

[Martin Duke via Datatracker <noreply@ietf.org>]

Martin Duke has entered the following ballot position for
draft-ietf-capport-api-07: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-capport-api/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Unless I am misinterpreting the language here, there is a disconnect between
this document and the architecture document.

Sec 2.3 of -architecture says:
At minimum, the API MUST provide: (1) the state of captivity and (2) a URI for
the Captive Portal Server.

But in section 5 user-portal-url is an optional field. Is -architecture
actually levying a requirement on the api spec, or the api server?

I am also confused by this sentence at the end of section 4.1 about failed
authentication: “It may still be possible for the user to access the network by
being redirected to a web portal.”

Who is doing the redirecting here? If authentication has failed, how is this
redirect authenticated and secure against theft of credentials?


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

This document is otherwise clearly written. Thanks.

As I said in the architecture review, the term for the user portal keeps
changing. Over there it’s called a “Captive Portal Server” and a “web portal
server”. Here it’s a “user-portal.”

One nit:
s/extenal/external