[Gen-art] review of draft-ietf-httpauth-digest-15.txt

Francis Dupont <Francis.Dupont@fdupont.fr> Mon, 06 April 2015 17:59 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id D04411A906A for <gen-art@ietfa.amsl.com>; Mon, 6 Apr 2015 10:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.337
X-Spam-Status: No, score=0.337 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_FR=0.35, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id n8mSulyIeVN6 for <gen-art@ietfa.amsl.com>; Mon, 6 Apr 2015 10:59:25 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 150301A9063 for <gen-art@ietf.org>; Mon, 6 Apr 2015 10:59:24 -0700 (PDT)
Received: from givry.fdupont.fr (localhost []) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id t36HwgRi005964; Mon, 6 Apr 2015 19:58:42 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201504061758.t36HwgRi005964@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: gen-art@ietf.org
Date: Mon, 06 Apr 2015 19:58:42 +0200
Sender: Francis.Dupont@fdupont.fr
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/rsq2-O3H_5vrVq6vuIDmlrNtWPQ>
Cc: draft-ietf-httpauth-digest.all@tools.ietf.org
Subject: [Gen-art] review of draft-ietf-httpauth-digest-15.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 17:59:27 -0000

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at


Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-httpauth-digest-15.txt
Reviewer: Francis Dupont
Review Date: 20150402
IETF LC End Date: 20150402
IESG Telechat date: unknown

Summary: Ready

Major issues: None

Minor issues: None

Nits/editorial comments:
 I reviewed the 15 version but I can see the 16 one is already available
so I'll try to update my comments.

 - first I was a bit surprised nobody just asked to jump to HTTPS (or
  HSTS) but reading the document it seems there are still good use
  of the digest authentication scheme...

 -  3.3 page 5: IMHO the "opaque" field is clearly a nonce
  (i.e., more a nonce than the "nonce" field) but I understand this
  was inherited from RFC 2617...

 - 3.3 page 7 (algorithm, twice) and some other places:
  e.g. -> e.g.,

 - 3.3 page 7 (algorithm): I noted the algo protocol is still
  a keyed one vs. HMAC (cf. AH which switched from keyed to HMAC
  between RFC 1826 and RFC 2402) but I believed you have a good
  reason to do this (and the secdir will say if it is OK anyway).

 - 3.4.2 page 11: e.g. -> e.g., (again but this one is at the end of a line)

 - 3.4.2 page 11: cnounce -> cnonce

 - 3.4.2 page 11: the presentation of this definition is very

         A1       = H( unq(username) ":" unq(realm)
                        ":" passwd )
                        ":" unq(nonce-prime) ":" unq(cnonce-prime)

  I strongly suggest something like:

         A1       = H( unq(username) ":" unq(realm) ":" passwd )
                        ":" unq(nonce-prime) ":" unq(cnonce-prime)

 - 3.4.2 page 11: the server need only use
                                 ^ needs

 - 3.5 page 14: affects -> effects

 - 5.2 page 21: this information need not be decrypted
                                     ^ needs

 - 6.1 page 27: can you instantiate the RFC XXX:
  MD5: RFC 1321
  SHA-256: FIPS 180-2
  SHA-512/256: FIPS 180-4?

 - A page 30: negotitation -> negotiation