RFC 4590 IETF Last Call Comments

[Bernard Aboba <bernard_aboba@hotmail.com>]

From: Frank EllermannDate: Friday, May 18, 2007Subject: Re: Last Call: draft-ietf-radext-rfc4590bis (RADIUS Extension for Digest Authentication) to Proposed StandardThe IESG wrote:> The IESG has received a request from the RADIUS EXTensions WG (radext)> to consider the following document:> - 'RADIUS Extension for Digest Authentication '>    <draft-ietf-radext-rfc4590bis-01.txt> as a Proposed StandardHi, this draft might be also interesting for the 2831bis (SASL) and2617bis (HTTP-AUTH) folks.  From a quick read I found that the I-Dpicked the "keep backslash as is" approach between client and proxy,trimming \\ and \" only at the RADIUS server.The other DIGEST-MD5 parameters are as always confusing, I don't seeanything related to SASLprep in the draft (it's based on 2617).  Itmentions 2069 backwards compatibility based on the absence of "QoP",I'm not sure if that's correct for "md5-sess" without "QoP".The draft says that the length of NC is 10, shouldn't that be 8 ?The first example has no CNONCE and no NC, my script claims that thisis a fatal error for qop=auth, isn't it ?  RFC 2617 says that it MUSTbe sent for a non-empty qop.The password for the 4590 examples isn't shown, therefore I'm unableto check them, even after adjusting the code to treat qop=auth withoutCNONCE as 2069 fallback.  Should I treat CNONCE as empty and make upan NC 00000001 ?Without SASLprep the draft IMO needs some "I18N considerations" aboutnon-ASCII user names and passwords as mandated by BCP 18 (RFC 2277).Frank