[Gen-art] Telechat Review of draft-ietf-httpauth-extension-08
Matt Miller <mamille2@cisco.com> Thu, 01 September 2016 02:16 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33C4E12D513; Wed, 31 Aug 2016 19:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.069
X-Spam-Level:
X-Spam-Status: No, score=-15.069 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8Tds-lrjU8g; Wed, 31 Aug 2016 19:15:58 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 383C112B03C; Wed, 31 Aug 2016 19:15:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6519; q=dns/txt; s=iport; t=1472696158; x=1473905758; h=to:from:subject:message-id:date:mime-version; bh=Bj/C+PUe+Et4DDRmhP7PJoaTsEnsDigCnJV4lzFa0J0=; b=UknjXTjzoqXESVprFMYcN4aJYCGdHXMB2h0IZIS17wnw4zXBpikV14cv xs04GrSXwu9hJFvGCPKhTDZxQBLQ3RrdEuG7vZ2IDp1MTkAgRqoaFnMlD evtI3Q27EvDrCZ4ds/Pn0nAA6xMBUnCzplpA8S60v5J1UvG73GPIR0usH 8=;
X-Files: signature.asc : 496
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CPBwB/jsdX/5JdJa1dg1ABAQEBAR5XKlIBonUMAQEBAQEBBQGBEJQKggEkhXiBTjgUAQIBAQEBAQEBXieFC4EFLgJgDAgBAYhEDq4MjHABCgEBARUOhWeCQIZ/NoJigloFjxqKNAKDPoFzb3GIIIFtToQPgxGFfIxIg3keNoRQHTWGawEBAQ
X-IronPort-AV: E=Sophos;i="5.30,264,1470700800"; d="asc'?scan'208";a="316138252"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Sep 2016 02:15:57 +0000
Received: from [10.24.13.183] ([10.24.13.183]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id u812FuEr013508; Thu, 1 Sep 2016 02:15:56 GMT
To: draft-ietf-httpauth-extension.all@ietf.org, gen-art@ietf.org
From: Matt Miller <mamille2@cisco.com>
Message-ID: <a5e9721c-5b45-40c0-9b98-19d153d1b490@cisco.com>
Date: Wed, 31 Aug 2016 20:15:56 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="qAnONe0001nPkp0vr2Cs8HmNeULlBjcDE"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/RbcWRcbtuVMqXEm0zKmpnuhsZMo>
Subject: [Gen-art] Telechat Review of draft-ietf-httpauth-extension-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 02:16:00 -0000
I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq >. Document: draft-ietf-httpauth-extension-08 Reviewer: Matthew A. Miller Review Date: 2016-08-31 IETF LC End Date: 2016-08-26 IESG Telechat date: 2016-09-01 Summary: This document is almost ready for publication as an Experimental RFC, once the minor and editorial issues are addressed. Major issues: NONE Minor issues: * There is at least a couple of mentions of the "Authentication-Info" header, but no reference to RFC 7615 in which it is defined. I think an informational reference is warranted here. * Just reading sections 4.5. "Location-when-logout parameter" and 4.6. "Logout-timeout parameter", it is unclear how these are meant to interact to inform a client the user's authentication session. Frankly, I think the text in section 4.5 is too vague about how a client can detect termination of a user's authenticated session, and could use more of a hint on how "logout-timeout" is involved to accomplish it. At the least, I think both sections 4.5. and 4.6. need pointers to section 5. to help readers get a sense of how to apply them. * In section 4.7. "Username parameter", I think there should be an explicit pointer to the Security Considerations to warn about potential issues this parameter presents. I also recommend separating that portion of the Security Considerations about "username" into its own subsection to make such a callout better. * Since this document is acknowledging that cookies are used for authentication, and Nits/editorial comments: * In section 2.1. "Terms for describing authentication protocol flow", the word "distinguishable" should instead be "distinguished" in the phrase "it can't be distinguishable from a non-authenticated response." * In section 3. "Optional Authentication", the word "be" is missing in "Optional-WWW-Authenticate header MUST NOT sent on 401 responses". * In section 3.1. "Note on Optional-WWW-Authenticate and use of WWW-Authenticate header with non-401 status", the word "is" should be replaced with "are" in the phrase "clients which is unaware of this extension will ignore the header". * Also in section 3.1., the word "authentications" should be "authentication" in the phrase "secondary fallback method of authentications". * Also in section 3.1., the word "ignores" should be "ignore" in the phrase "just ignores the WWW-Authenticate headers". * Also in section 3.1., all instances of the word "implementer" should be replaced with "implementers" in the phrase "the authors propose implementer of the standard HTTP/1.1 specification (especially implementer of this extension)". * In section 4. "Authentication-Control header", the word "an" should be "a" in the phrase "and MUST be sent in an plain". * In section 4.1. "Non-ASCII extended header parameters", the interoperability note as a number of grammatical challenges. I believe the following addresses the grammar issues while retaining its meaning: """ Interoperability note: [RFC7235], Section 2.2, defines the "realm" authentication parameter which cannot be replaced by the "realm*" extend parameter. It means that the use of non-ASCII values for an authentication realm is not the defined behavior in HTTP. Unfortunately, some people currently use a non-ASCII realm parameter in reality, but even its encoding scheme is not well-defined. Given this background, this document does not specify how to handle a non-ASCII "realm" parameter in the extended header fields. If needed, the authors propose to use a non-extended "realm" parameter form, with a wish for maximum interoperability. """ * In section 4.2. "Auth-style parameter", the word "preferences" should be replaced with "preference" in the phrase "server's preferences for user interface behavior". * In section .4.4. "No-auth parameter", the word "authentications" should be replaced with "authentication" in the phrase "content is desired before authentications". * In section 4.6. "Logout-timeout parameter", the word "from" should be removed in the phrase "has passed since from the time this header was received". * In section 5.3. "When to use Cookies", the first sentence has some grammatical challenges, which I believe the following text addresses: """ In current Web sites using form-based authentication, Cookies [RFC6265] are used for managing both authorization and application sessions. """ * In section 5.4. "Parallel deployment with Form/Cookie authentications", the META tag example should be "<META http-equiv="refresh" ...>" instead of ">META http-equiv="refresh" ...<". * In section 7. "IANA Considerations", the word "documents" should be "document" in the phrase "a publicly-accessible documents".
- [Gen-art] Telechat Review of draft-ietf-httpauth-… Matt Miller
- Re: [Gen-art] Telechat Review of draft-ietf-httpa… Jari Arkko
- Re: [Gen-art] Telechat Review of draft-ietf-httpa… 大岩寛
- Re: [Gen-art] Telechat Review of draft-ietf-httpa… Matt Miller
- Re: [Gen-art] Telechat Review of draft-ietf-httpa… Kathleen Moriarty
- Re: [Gen-art] Telechat Review of draft-ietf-httpa… Matt Miller