[precis] Secdir last call review of draft-ietf-precis-7613bis-07

Joseph Salowey <joe@salowey.net> Mon, 26 June 2017 05:50 UTC

Return-Path: <joe@salowey.net>
X-Original-To: precis@ietf.org
Delivered-To: precis@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DCC6127058; Sun, 25 Jun 2017 22:50:00 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Joseph Salowey <joe@salowey.net>
To: <secdir@ietf.org>
Cc: draft-ietf-precis-7613bis.all@ietf.org, iesg@ietf.org, precis@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.55.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149845620057.31750.11952736688634266964@ietfa.amsl.com>
Date: Sun, 25 Jun 2017 22:50:00 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/precis/92Plyb6Tzs0ggysbV3enG5lBTyY>
Subject: [precis] Secdir last call review of draft-ietf-precis-7613bis-07
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2017 05:50:01 -0000

Reviewer: Joseph Salowey
Review result: Has Nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is document is ready with nits.

This document is an update to RFC 7613.   A few Minor comments:

1.  I think it would be good to show the zero-length password is not allowed in
table 4 (18 | <> | zero-length password).   There are lots of cases where
allowing zero-length passwords has led to problems.  Disallowing zero-length
passwords is helpful.

2.  Comparisons of passwords is a touchy subject.   I can't think of a case
where it would be preferable to do a direct password comparison.   In most
cases the comparison will be done against a salted-hashed transform of the
password or involve some other cryptographic operation.   I think it would be
good to discuss this briefly in the security considerations section, sample
text below

"Password Comparison

Verification of passwords during authentication will not use the comparison
defined in section 4.2.3.   Instead cryptographic calculations are performed to
verify the password.   In most cases the password will be prepared as in
section 4.2.1 and meet the rules enforced in section 4.2.2 before the
calculations are performed."