[Gen-art] review of draft-ietf-httpauth-digest-15.txt
Francis Dupont <Francis.Dupont@fdupont.fr> Mon, 06 April 2015 17:59 UTC
Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D04411A906A for <gen-art@ietfa.amsl.com>; Mon, 6 Apr 2015 10:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.337
X-Spam-Level:
X-Spam-Status: No, score=0.337 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_FR=0.35, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8mSulyIeVN6 for <gen-art@ietfa.amsl.com>; Mon, 6 Apr 2015 10:59:25 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 150301A9063 for <gen-art@ietf.org>; Mon, 6 Apr 2015 10:59:24 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id t36HwgRi005964; Mon, 6 Apr 2015 19:58:42 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201504061758.t36HwgRi005964@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: gen-art@ietf.org
Date: Mon, 06 Apr 2015 19:58:42 +0200
Sender: Francis.Dupont@fdupont.fr
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/rsq2-O3H_5vrVq6vuIDmlrNtWPQ>
Cc: draft-ietf-httpauth-digest.all@tools.ietf.org
Subject: [Gen-art] review of draft-ietf-httpauth-digest-15.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 17:59:27 -0000
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-httpauth-digest-15.txt Reviewer: Francis Dupont Review Date: 20150402 IETF LC End Date: 20150402 IESG Telechat date: unknown Summary: Ready Major issues: None Minor issues: None Nits/editorial comments: I reviewed the 15 version but I can see the 16 one is already available so I'll try to update my comments. - first I was a bit surprised nobody just asked to jump to HTTPS (or HSTS) but reading the document it seems there are still good use of the digest authentication scheme... - 3.3 page 5: IMHO the "opaque" field is clearly a nonce (i.e., more a nonce than the "nonce" field) but I understand this was inherited from RFC 2617... - 3.3 page 7 (algorithm, twice) and some other places: e.g. -> e.g., - 3.3 page 7 (algorithm): I noted the algo protocol is still a keyed one vs. HMAC (cf. AH which switched from keyed to HMAC between RFC 1826 and RFC 2402) but I believed you have a good reason to do this (and the secdir will say if it is OK anyway). - 3.4.2 page 11: e.g. -> e.g., (again but this one is at the end of a line) - 3.4.2 page 11: cnounce -> cnonce - 3.4.2 page 11: the presentation of this definition is very misleading: A1 = H( unq(username) ":" unq(realm) ":" passwd ) ":" unq(nonce-prime) ":" unq(cnonce-prime) I strongly suggest something like: A1 = H( unq(username) ":" unq(realm) ":" passwd ) ":" unq(nonce-prime) ":" unq(cnonce-prime) - 3.4.2 page 11: the server need only use ^ needs - 3.5 page 14: affects -> effects - 5.2 page 21: this information need not be decrypted ^ needs - 6.1 page 27: can you instantiate the RFC XXX: MD5: RFC 1321 SHA-256: FIPS 180-2 SHA-512/256: FIPS 180-4? - A page 30: negotitation -> negotiation Regards Francis.Dupont@fdupont.fr
- [Gen-art] review of draft-ietf-httpauth-digest-15… Francis Dupont
- Re: [Gen-art] review of draft-ietf-httpauth-diges… Rifaat Shekh-Yusef
- Re: [Gen-art] review of draft-ietf-httpauth-diges… Jari Arkko