[http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)

"Alissa Cooper" <alissa@cooperw.in> Wed, 07 January 2015 22:20 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alissa Cooper <alissa@cooperw.in>
To: The IESG <iesg@ietf.org>
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150107222027.18377.83227.idtracker@ietfa.amsl.com>
Date: Wed, 07 Jan 2015 14:20:27 -0800
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/DNgUTsqxKrcQFx0eEwpjF_q1ClI
Cc: draft-ietf-httpauth-hoba.all@tools.ietf.org, http-auth@ietf.org, httpauth-chairs@tools.ietf.org
Subject: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)

Alissa Cooper has entered the following ballot position for
draft-ietf-httpauth-hoba-09: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-httpauth-hoba/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Good stuff! Couple of comments.

= Logging out =

The intro says

"Logout features can be useful for UAs, so HOBA defines a way to
      close a current HTTP "session", and also a way to close all
      current sessions, even if more than one session is currently
      active from different UAs for the same account."
    
But the method specified in 6.3 seems to only accomplish the first of
these (assuming the recommendation about server deletion of cookies
related to "the session" is meant to be specific to one session). What is
the method for logging out of all sessions associated with different UAs
for the same account?

= Section 6.1 =

Either the device identifier/device identifier type bits are
underspecified, or it's not clear to me how they are meant to be used.
What other device identifier types are expected to be used in the future,
such that a registry of them is necessary? To me it seems like you would
want UAs/users to take some care with the precision of the device
identifiers shared with servers -- e.g., "Alissa's laptop" seems like it
could be useful and fairly safe, whereas "IMEI 013584009812219" seems
like total overkill and a bad idea. (As an aside, it might be good to
provide some guidance about this in the document.) The creation of the
registry makes me wonder if more structured device identifiers of the
IMEI-ilk are envisioned, and if so what the purpose of them is expected
to be?

Also, I would suggest

s/if absent then the "string" form of device identifier MUST be used./if
absent then the "string" form of device identifier defined in Section 9.5
MUST be used.

= Section 8 =

"Binding my CPK with someone else's account would be fun and
   profitable so SHOULD be appropriately hard."

Sarcasm translates pretty poorly across cultures. I would suggest saying
what you actually mean here.

= Section 8.2 =

If you want to leave in the LinkedIn reference, or any specific example,
it needs a citation.

[http-auth] Alissa Cooper's No Objection on draft… Alissa Cooper
Re: [http-auth] Alissa Cooper's No Objection on d… Stephen Farrell
Re: [http-auth] Alissa Cooper's No Objection on d… Kathleen Moriarty
Re: [http-auth] Alissa Cooper's No Objection on d… Spencer Dawkins at IETF
Re: [http-auth] Alissa Cooper's No Objection on d… Kathleen Moriarty
Re: [http-auth] Alissa Cooper's No Objection on d… Stephen Farrell
Re: [http-auth] Alissa Cooper's No Objection on d… Spencer Dawkins at IETF
Re: [http-auth] Alissa Cooper's No Objection on d… Martin J. Dürst
Re: [http-auth] Alissa Cooper's No Objection on d… Alissa Cooper