Re: [Gen-art] Telechat Review of draft-ietf-httpauth-extension-08

Jari Arkko <jari.arkko@piuha.net> Thu, 01 September 2016 09:35 UTC

Return-Path: <jari.arkko@piuha.net>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 776E512D8DE; Thu, 1 Sep 2016 02:35:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 537AppbZbq4n; Thu, 1 Sep 2016 02:35:28 -0700 (PDT)
Received: from p130.piuha.net (p130.piuha.net [IPv6:2a00:1d50:2::130]) by ietfa.amsl.com (Postfix) with ESMTP id 7C96212D8E8; Thu, 1 Sep 2016 02:35:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id C40202CC9B; Thu, 1 Sep 2016 12:35:26 +0300 (EEST) (envelope-from jari.arkko@piuha.net)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUpV8g2_cG1X; Thu, 1 Sep 2016 12:35:26 +0300 (EEST)
Received: from [127.0.0.1] (p130.piuha.net [IPv6:2a00:1d50:2::130]) by p130.piuha.net (Postfix) with ESMTP id 1F36B2CC40; Thu, 1 Sep 2016 12:35:26 +0300 (EEST) (envelope-from jari.arkko@piuha.net)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_5138825D-1CD1-46EF-932E-0F1287DE2D6B"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail
From: Jari Arkko <jari.arkko@piuha.net>
In-Reply-To: <a5e9721c-5b45-40c0-9b98-19d153d1b490@cisco.com>
Date: Thu, 01 Sep 2016 12:35:25 +0300
Message-Id: <CA99F843-0A25-4096-9C7D-0463D1D86428@piuha.net>
References: <a5e9721c-5b45-40c0-9b98-19d153d1b490@cisco.com>
To: Matt Miller <mamille2@cisco.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/Mbk_GFnOg9vF3hFI5SokJEYt0o8>
Cc: gen-art@ietf.org, draft-ietf-httpauth-extension.all@ietf.org
Subject: Re: [Gen-art] Telechat Review of draft-ietf-httpauth-extension-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 09:35:31 -0000

Matt: Many thanks for your detailed review. Much appreciated.

Authors, can you take these notes into account?

Jari

On 01 Sep 2016, at 05:15, Matt Miller <mamille2@cisco.com> wrote:

> * There is at least a couple of mentions of the
> "Authentication-Info" header, but no reference to RFC 7615 in which
> it is defined.  I think an informational reference is warranted
> here.
> 
> * Just reading sections 4.5. "Location-when-logout parameter" and
> 4.6. "Logout-timeout parameter", it is unclear how these are meant
> to interact to inform a client the user's authentication session.
> Frankly, I think the text in section 4.5 is too vague about how
> a client can detect termination of a user's authenticated session,
> and could use more of a hint on how "logout-timeout" is involved
> to accomplish it. At the least, I think both sections 4.5. and
> 4.6. need pointers to section 5. to help readers get a
> sense of how to apply them.
> 
> * In section 4.7. "Username parameter", I think there should be
> an explicit pointer to the Security Considerations to warn about
> potential issues this parameter presents.  I also recommend
> separating that portion of the Security Considerations about
> "username" into its own subsection to make such a callout
> better.
> 
> * Since this document is acknowledging that cookies are used for
> authentication, and
> 
> Nits/editorial comments:
> 
> * In section 2.1. "Terms for describing authentication protocol
> flow", the word "distinguishable" should instead be "distinguished"
> in the phrase "it can't be distinguishable from a non-authenticated
> response."
> 
> * In section 3. "Optional Authentication", the word "be" is missing
> in "Optional-WWW-Authenticate header MUST NOT sent on 401
> responses".
> 
> * In section 3.1. "Note on Optional-WWW-Authenticate and use of
> WWW-Authenticate header with non-401 status", the word "is" should
> be replaced with "are" in the phrase "clients which is unaware of
> this extension will ignore the header".
> 
> * Also in section 3.1., the word "authentications" should be
> "authentication" in the phrase "secondary fallback method of
> authentications".
> 
> * Also in section 3.1., the word "ignores" should be "ignore" in
> the phrase "just ignores the WWW-Authenticate headers".
> 
> * Also in section 3.1., all instances of the word "implementer"
> should be replaced with "implementers" in the phrase "the authors
> propose implementer of the standard HTTP/1.1 specification
> (especially implementer of this extension)".
> 
> * In section 4. "Authentication-Control header", the word "an"
> should be "a" in the phrase "and MUST be sent in an plain".
> 
> * In section 4.1. "Non-ASCII extended header parameters", the
> interoperability note as a number of grammatical challenges.
> I believe the following addresses the grammar issues while
> retaining its meaning:
> 
>    """
>    Interoperability note: [RFC7235], Section 2.2, defines the "realm"
>    authentication parameter which cannot be replaced by the "realm*"
>    extend parameter.  It means that the use of non-ASCII values for an
>    authentication realm is not the defined behavior in HTTP.
>    Unfortunately, some people currently use a non-ASCII realm parameter
>    in reality, but even its encoding scheme is not well-defined.
>    Given this background, this document does not specify how to handle
>    a non-ASCII "realm" parameter in the extended header fields.  If
>    needed, the authors propose to use a non-extended "realm" parameter
>    form, with a wish for maximum interoperability.
>    """
> 
> * In section 4.2. "Auth-style parameter", the word "preferences"
> should be replaced with "preference" in the phrase "server's
> preferences for user interface behavior".
> 
> * In section .4.4. "No-auth parameter", the word "authentications"
> should be replaced with "authentication" in the phrase "content is
> desired before authentications".
> 
> * In section 4.6. "Logout-timeout parameter", the word "from" should
> be removed in the phrase "has passed since from the time this header
> was received".
> 
> * In section 5.3. "When to use Cookies", the first sentence has some
> grammatical challenges, which I believe the following text addresses:
> 
>    """
>    In current Web sites using form-based authentication, Cookies
>    [RFC6265] are used for managing both authorization and
>    application sessions.
>    """
> 
> * In section 5.4. "Parallel deployment with Form/Cookie
> authentications", the META tag example should be "<META
> http-equiv="refresh" ...>" instead of ">META http-equiv="refresh"
> ...<".
> 
> * In section 7. "IANA Considerations", the word "documents" should
> be "document" in the phrase "a publicly-accessible documents".