[http-auth] Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)
"Terry Manderson" <terry.manderson@icann.org> Tue, 01 November 2016 23:57 UTC
Return-Path: <terry.manderson@icann.org>
X-Original-To: http-auth@ietf.org
Delivered-To: http-auth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 895CA1295F6; Tue, 1 Nov 2016 16:57:33 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Terry Manderson <terry.manderson@icann.org>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.37.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147804465351.23964.4743241573285672461.idtracker@ietfa.amsl.com>
Date: Tue, 01 Nov 2016 16:57:33 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/BKphn_h3TUbwQZ_WnlEz3ypFyNs>
Cc: http-auth@ietf.org, draft-ietf-httpauth-mutual@ietf.org, httpauth-chairs@ietf.org
Subject: [http-auth] Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 23:57:33 -0000
Terry Manderson has entered the following ballot position for draft-ietf-httpauth-mutual-10: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-httpauth-mutual/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for writing a very detailed document. A few minor comments. 1) Please review the introduction, there are several grammatical errors in there. Meaning still came through just fine, but they were a little distracting. 2) The state machine diagram of the client is quite complex. A candidate for the new RFC format? 3) I agree with Alvaro's comment on the IPR. Thank you for making it royalty free, however not sure you need to add the text in the RFC. 4) This to me seems as it is essentially a shared secret construct, one sentence from RFC 2361 (security considerations) seems applicable here. "All the security in this system is provided by the secrecy of the private keying material." If this the case, please provide ample warning that (as one would expect) loss of the password from either the client or the server results in a complete compromise.