[http-auth] Barry Leiba's Yes on draft-ietf-httpauth-scram-auth-14: (with COMMENT)

"Barry Leiba" <barryleiba@computer.org> Wed, 16 December 2015 05:00 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Barry Leiba <barryleiba@computer.org>
To: The IESG <iesg@ietf.org>
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20151216050031.11217.8507.idtracker@ietfa.amsl.com>
Date: Tue, 15 Dec 2015 21:00:31 -0800
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/dJEefJCEhj2BBQm079D7388aXpA>
Cc: draft-ietf-httpauth-scram-auth@ietf.org, httpauth-chairs@tools.ietf.org, http-auth@ietf.org, httpauth-chairs@ietf.org, draft-ietf-httpauth-scram-auth-all@tools.ietf.org
Subject: [http-auth] Barry Leiba's Yes on draft-ietf-httpauth-scram-auth-14: (with COMMENT)

Barry Leiba has entered the following ballot position for
draft-ietf-httpauth-scram-auth-14: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-httpauth-scram-auth/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

-- Section 3 --

   It sends
   the username to the server, which retrieves the corresponding
   authentication information, i.e. a salt, StoredKey, ServerKey and the
   iteration count i.

As this is written, it's not clear whether the "corresponding
authentication information" is "a salt" alone, or the whole list of
things after.  I suggest this:

NEW
   It sends
   the username to the server, which retrieves the corresponding
   authentication information: a salt, a StoredKey, a ServerKey,
   and an iteration count (i).
END

Why does the paragraph end in a colon ("and sends a ClientProof to the
server:")?

   To begin with, the SCRAM client is in possession of a username and
   password (*) (or a ClientKey/ServerKey, or SaltedPassword).

...and...

   (*) - Note that both the username and the password MUST be encoded in
   UTF-8 [RFC3629].

I suggest that splitting these up with a bunch of text in between isn't a
good way to do it.  I think this would be better:

NEW
   To begin with, the SCRAM client is in possession of a username and
   password, both encoded in UTF-8 [RFC3629] (or a ClientKey/ServerKey,
   or SaltedPassword).
END

There's no pressing need to use the word "MUST" there.

   Informative Note: Implementors are encouraged to create test cases
   that use both username passwords with non-ASCII codepoints.  In
   particular, it is useful to test codepoints whose "Unicode
   Normalization Form C" and "Unicode Normalization Form KC" are
   different.

It would be good to include an informative reference to the Unicode
Normalization Forms document here, so people can easily look up what NFC
and NFKC are.  It might also be good to say "Normalization Form Canonical
Composition (NFC)" and "Normalization Form Compatibility Composition
(NFKC)", rather than to use the mixed versions that you have here.

-- Section 4 --

   from the IANA "Hash Function Textual Names" registry (see
   http://www.iana.org) .

Better, I think, to use the direct URL for the registry (which is fine
with IANA):
http://www.iana.org/assignments/hash-function-text-names/

[http-auth] Barry Leiba's Yes on draft-ietf-httpa… Barry Leiba
Re: [http-auth] Barry Leiba's Yes on draft-ietf-h… Alexey Melnikov