[http-auth] Mirja Kühlewind's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)

"Mirja Kuehlewind" <ietf@kuehlewind.net> Tue, 01 November 2016 13:58 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: http-auth@ietf.org
Delivered-To: http-auth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E837D129426; Tue, 1 Nov 2016 06:58:10 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: "Mirja Kuehlewind" <ietf@kuehlewind.net>
To: "The IESG" <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.37.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147800869091.23840.18136834516271995868.idtracker@ietfa.amsl.com>
Date: Tue, 01 Nov 2016 06:58:10 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/B9NhzusMXLO2xLl8IAt6yQbt9iE>
Cc: http-auth@ietf.org, draft-ietf-httpauth-mutual@ietf.org, httpauth-chairs@ietf.org
Subject: [http-auth] =?utf-8?q?Mirja_K=C3=BChlewind=27s_No_Objection_on_dr?= =?utf-8?q?aft-ietf-httpauth-mutual-10=3A_=28with_COMMENT=29?=
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 13:58:11 -0000

Mirja Kühlewind has entered the following ballot position for
draft-ietf-httpauth-mutual-10: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-httpauth-mutual/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks for this well written spec!

One important question: 
Doesn't this spec need to register a new HTTP Authentication Schemes
("Mutual") with IANA?

Further minor comments/questions:

1) Somehow I don't understand this:
"For responses, the parameters "reason", any "ks#" (where # stands
      for any decimal integer), and "vks" are mutually exclusive; any
      challenge MUST NOT contain two or more parameters among them.
      They MUST NOT contain any "kc#" or "vkc" parameters."
Who is 'they' in the last sentence?

2) "Typically, clients can ensure the above property by using a
   monotonically-increasing integer counter that counts from zero up to
   the value of nc-max."
Wouldn't it be better to use a randomized number?

3) Nit: s/Even if the request-URI does not have a port part, v will
include the default port number./Even if the request-URI does not have a
port part, vh will include the default port number./