[http-auth] Barry Leiba's Yes on draft-ietf-httpauth-hoba-10: (with COMMENT)
"Barry Leiba" <barryleiba@computer.org> Thu, 08 January 2015 22:50 UTC
Return-Path: <barryleiba@computer.org>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69BA31A1B1B; Thu, 8 Jan 2015 14:50:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id us7_vuvQn1dy; Thu, 8 Jan 2015 14:49:59 -0800 (PST)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 91E1B1A006D; Thu, 8 Jan 2015 14:49:59 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Barry Leiba <barryleiba@computer.org>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.10.0.p7
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150108224959.18508.15898.idtracker@ietfa.amsl.com>
Date: Thu, 08 Jan 2015 14:49:59 -0800
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/NuLQP3ovfcvwuwnmkfEWCsdvV1A>
Cc: draft-ietf-httpauth-hoba.all@tools.ietf.org, http-auth@ietf.org, httpauth-chairs@tools.ietf.org
Subject: [http-auth] Barry Leiba's Yes on draft-ietf-httpauth-hoba-10: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 22:50:01 -0000
Barry Leiba has entered the following ballot position for draft-ietf-httpauth-hoba-10: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-httpauth-hoba/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I have looked at the change to Section 8.2, and I think it (and the reference) is a perfect choice, and makes the document stronger. Thank you very much for going in this direction! ------------ Remaining minor comments, left for posterity ------------ -- Section 3 -- The "realm" attribute MUST NOT appear more than once. Does that mean that "challenge" and max-age can appear more than once? If not, why call it out for "realm" and not for the others? -- Section 6.2 -- It seems odd to put the NOT RECOMMENDED mechanism in the middle; I suggest switching sections 6.2.2 and 6.2.3. -- Section 8.3 -- The chances that a typical user (consider my mother) will know or care about this, much less will "request" anything is vanishingly small. Can you say anything here about what can be done that would have any practical utility? -- Section 9.3 -- Please create a new HOBA signature algorithms registry as follows, with the specification required rule for updates. New HOBA signature algorithms SHOULD be in use with other IETF standards track protocols before being added to this registry. I don't think the SHOULD is really right -- who is the target? This needs to be cast as instructions to the designated expert, perhaps as, "The designated expert will review other uses of requested new HOBA signature algorithms, with particular consideration to their use in other IETF standards track protocols." Perhaps there's also another word or two to say about what the DE should consider? -- Sections 9.4 and 9.5 -- Might there be any advice for the designated expert, anything at all?