[Gen-art] Gen-ART LC and Telechat review of draft-mraihi-totp-timebased-07
Ben Campbell <ben@estacado.net> Mon, 14 February 2011 22:38 UTC
Return-Path: <ben@estacado.net>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 12DA73A6DC8 for <gen-art@core3.amsl.com>; Mon, 14 Feb 2011 14:38:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXjI-YRu0r04 for <gen-art@core3.amsl.com>; Mon, 14 Feb 2011 14:38:40 -0800 (PST)
Received: from estacado.net (estacado-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:266::2]) by core3.amsl.com (Postfix) with ESMTP id 723663A6997 for <gen-art@ietf.org>; Mon, 14 Feb 2011 14:38:38 -0800 (PST)
Received: from dn3-227.estacado.net (dn3-227.estacado.net [172.16.3.227]) (authenticated bits=0) by estacado.net (8.14.3/8.14.2) with ESMTP id p1EMd0fx033051 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 14 Feb 2011 16:39:00 -0600 (CST) (envelope-from ben@estacado.net)
From: Ben Campbell <ben@estacado.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 14 Feb 2011 16:39:00 -0600
Message-Id: <0097E2F3-AD5C-4338-B923-5A58C36A8C61@estacado.net>
To: draft-mraihi-totp-timebased.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1082)
X-Mailer: Apple Mail (2.1082)
Subject: [Gen-art] Gen-ART LC and Telechat review of draft-mraihi-totp-timebased-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2011 22:38:41 -0000
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: draft-mraihi-totp-timebased-07 Reviewer: Ben Campbell Review Date: 2011-02-14 IETF LC End Date: IESG Telechat date: 2011-02-17 Summary: This draft is almost ready for publication as an informational RFC. I have a few questions and comments that should probably be considered prior to publication. Note: I apologize for not getting these in during IETF last call. I was assigned the Gen-ART review for last call, but was on vacation at the time, and missed the assignment upon my return. Major issues: None Minor issues: -- general: There are some implied assumptions about the platform/APIs on which this algorithm may be implemented, such as "Unix Time" and the "default floor function". Is that intentional? -- 5.2: Is there a requirement that the proover must not make a second attempt inside a given time window? If so, that was not clear from the text. If there is not such a requirement, are their security implications if the proover does send multiple messages inside the same tick? It's not really a one time pad if that happens is it? (I gather later on that there is an assumption the user can only make one attempt per time slot--it would be good to explicitly state that early in the document) Nits/editorial comments: -- IDNits reports some issues. Please check. -- 1.1 and 1.2: Please expand HOTP and TOTP on first mention in the main body of the draft (I.e. even if you already did so in the abstract, since people often skip the abstract.) -- 1.2: Please defined K and C -- 1.2, last paragraph: "... HMAC-SHA-1 function could be replaced by HMAC-SHA-256 ..." What do you mean by "could be" in this context? An implementation could replace it? A future update to this document? -- 3, general: The requirements seem to be a mix of requirements on the design of the algorithm, and requirements on implementations/users of the algorithm. Is that the intent? -- 3, R2: Is there an expectation that the time be in sync? You mention later that it is in section 6--it might be worth mentioning in the requrements. -- 5.2, last paragraph, last sentence: "The default Time-step size 30 seconds is recommended." Redundant with previous paragraph -- 6, general: Any reason this comes after the security considerations section? -6, 1st paragraph: "before being not validated/rejected." That's ambiguous. Not validated? Not rejected? -- 6, paragraph 4: "In such cases, the default synchronization may not be proper when the drift exceeds beyond allowed threshold." I don't understand this sentence. -- 7: It's not clear if you are saying that the referenced document does register this algorithm, or that it could register this algorithm.
- [Gen-art] Gen-ART LC and Telechat review of draft… Ben Campbell