[precis] Secdir last call review of draft-ietf-precis-7613bis-07
Joseph Salowey <email@example.com> Mon, 26 June 2017 05:50 UTC
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DCC6127058; Sun, 25 Jun 2017 22:50:00 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
From: Joseph Salowey <firstname.lastname@example.org>
Cc: email@example.com, firstname.lastname@example.org, email@example.com
Date: Sun, 25 Jun 2017 22:50:00 -0700
Subject: [precis] Secdir last call review of draft-ietf-precis-7613bis-07
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2017 05:50:01 -0000
Reviewer: Joseph Salowey Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is document is ready with nits. This document is an update to RFC 7613. A few Minor comments: 1. I think it would be good to show the zero-length password is not allowed in table 4 (18 | <> | zero-length password). There are lots of cases where allowing zero-length passwords has led to problems. Disallowing zero-length passwords is helpful. 2. Comparisons of passwords is a touchy subject. I can't think of a case where it would be preferable to do a direct password comparison. In most cases the comparison will be done against a salted-hashed transform of the password or involve some other cryptographic operation. I think it would be good to discuss this briefly in the security considerations section, sample text below "Password Comparison Verification of passwords during authentication will not use the comparison defined in section 4.2.3. Instead cryptographic calculations are performed to verify the password. In most cases the password will be prepared as in section 4.2.1 and meet the rules enforced in section 4.2.2 before the calculations are performed."
- [precis] Secdir last call review of draft-ietf-pr… Joseph Salowey
- Re: [precis] Secdir last call review of draft-iet… Peter Saint-Andre