Skip to main content

Cancel-Locks in Netnews Articles
draft-baeuerle-netnews-cancel-lock-09

Revision differences

Document history

Date Rev. By Action
2018-02-05
09 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2018-01-16
09 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2017-12-22
09 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2017-12-13
09 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2017-12-13
09 (System) IANA Action state changed to Waiting on RFC Editor from Waiting on Authors
2017-12-12
09 (System) IANA Action state changed to Waiting on Authors from In Progress
2017-12-12
09 (System) IANA Action state changed to In Progress from Waiting on Authors
2017-12-10
09 (System) IANA Action state changed to Waiting on Authors from In Progress
2017-12-10
09 (System) IANA Action state changed to In Progress from On Hold
2017-12-08
09 (System) IANA Action state changed to On Hold
2017-12-05
09 (System) RFC Editor state changed to EDIT
2017-12-05
09 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2017-12-05
09 (System) Announcement was received by RFC Editor
2017-12-05
09 Amy Vezza IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2017-12-05
09 Amy Vezza IESG has approved the document
2017-12-05
09 Amy Vezza Closed "Approve" ballot
2017-12-05
09 Alexey Melnikov RFC Editor Note was changed
2017-12-05
09 Alexey Melnikov RFC Editor Note for ballot was generated
2017-12-05
09 Alexey Melnikov RFC Editor Note was changed
2017-12-05
09 Alexey Melnikov RFC Editor Note for ballot was generated
2017-12-05
09 Alexey Melnikov RFC Editor Note was cleared
2017-12-05
09 Amy Vezza IESG state changed to Approved-announcement to be sent from IESG Evaluation::AD Followup
2017-12-05
09 Amy Vezza Ballot approval text was generated
2017-12-05
09 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-09.txt
2017-12-05
09 (System) New version approved
2017-12-05
09 (System) Request for posting confirmation emailed to previous authors: Michael Bauerle
2017-12-05
09 Michael Bäuerle Uploaded new revision
2017-12-02
08 Eric Rescorla [Ballot Position Update] Position for Eric Rescorla has been changed to No Objection from Discuss
2017-11-21
08 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-08.txt
2017-11-21
08 (System) New version approved
2017-11-21
08 (System) Request for posting confirmation emailed to previous authors: Michael Bauerle
2017-11-21
08 Michael Bäuerle Uploaded new revision
2017-11-20
07 (System) Sub state has been changed to AD Followup from Revised ID Needed
2017-11-20
07 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2017-11-20
07 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-07.txt
2017-11-20
07 (System) New version approved
2017-11-20
07 (System) Request for posting confirmation emailed to previous authors: Michael Bauerle
2017-11-20
07 Michael Bäuerle Uploaded new revision
2017-10-06
06 Joel Jaeggli Request for Telechat review by OPSDIR Completed: Has Nits. Reviewer: Joel Jaeggli. Sent review to list.
2017-09-28
06 Cindy Morgan IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation
2017-09-28
06 Alexey Melnikov RFC Editor Note was changed
2017-09-28
06 Alexey Melnikov RFC Editor Note was changed
2017-09-28
06 Alexey Melnikov RFC Editor Note for ballot was generated
2017-09-28
06 Alexey Melnikov RFC Editor Note for ballot was generated
2017-09-28
06 Kathleen Moriarty [Ballot comment]
I support Eric's discuss and comments.
2017-09-28
06 Kathleen Moriarty [Ballot Position Update] New position, No Objection, has been recorded for Kathleen Moriarty
2017-09-28
06 Tero Kivinen Request for Telechat review by SECDIR Completed: Has Nits. Reviewer: David Mandelberg.
2017-09-27
06 Terry Manderson [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson
2017-09-27
06 Ben Campbell
[Ballot comment]
Substantive:

-1.2:
Who does this section address? Do you expect it to stay in the final RFC text? Do you expect readers to …
[Ballot comment]
Substantive:

-1.2:
Who does this section address? Do you expect it to stay in the final RFC text? Do you expect readers to do something about it?

-2.1 "If  is not supported by an implementation, the corresponding
    element MUST be skipped and potential following
  elements MUST NOT be ignored."
I'm not sure I understand the intent. Only the first may be skipped? What if following elements also do not support the scheme? (repeats in 2.2)

-7: I'm surprised there's not a stronger recommendation to combine this with a signature-bases authentication system. It seems like a cancel or supersedes article should have at least the same level of protection as the original article.

Editorial:

-1, first paragraph: "... agent that processed the original article has required
  to withdraw..."
s/required/requested

-1.1, first sentence: "Any term not defined in this document has the same meaning as it does
  in [RFC5536] or [RFC5537]."
That seems unlikely to be true in any formal sense. Please consider enumerating the terms that are imported from those RFCs. Or failing that, say something to the effect of "The terminology from RFCs 5536 and 5537 are incorporated as defined in those documents."

-3, third bullet: "An injecting agent acts representitive for posting agents without
      support for the autentication system described in this document."
Should this day "acts as a representative" or "acts on behalf of"?  (Pattern occurs several times throughout.)

-3.3: "A Cancel-Key header field MAY be added to a proto-article containing
  a Control or Supersedes header field by the poster or posting agent
  which will include one or more  elements. "
This is hard to parse. Please consider active voice.

-4, last paragraph: Please include a reference for OpenSSL
2017-09-27
06 Ben Campbell [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell
2017-09-27
06 Alia Atlas [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas
2017-09-27
06 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2017-09-27
06 Mirja Kühlewind
[Ballot comment]
Thanks Paul for the gen-art review! My understanding is that this final change will be requested with an RFC editor note and as …
[Ballot comment]
Thanks Paul for the gen-art review! My understanding is that this final change will be requested with an RFC editor note and as such the document can move forward.

Not sure if the rules for the new registry must be defined that extensively in this document as they seem to be inline with the usual procedures as defined in RFC8126. However, I guess that's not a problem.

Nit:
Maybe make this one explicitly normative:
OLD
"The hash algorithm "sha256" is mandatory to implement."
NEW
"The hash algorithm "sha256" is REQUIRED to implement."
2017-09-27
06 Mirja Kühlewind [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind
2017-09-26
06 Suresh Krishnan [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan
2017-09-26
06 Adam Roach
[Ballot comment]
Thanks for a very easy to read and understand document. I have a small number of questions/comments.

Section 1.2 gives instructions for representations …
[Ballot comment]
Thanks for a very easy to read and understand document. I have a small number of questions/comments.

Section 1.2 gives instructions for representations of names that cannot be accurately displayed with the ASCII character set. Who is the target audience here? If these are intended as instructions for the RFC editor, I note that the current policy is: "no additional non-ASCII documents... will be published until the new format tools are in production." If these are intended as notes to the reader, they're fine (although I might suggest phrasing it as a note for the reader in that case).

Section 2 contains the following text: "Because the hash algorithm for  cannot be negotiated, unnecessary proliferation of hash algorithms should be avoided." Section 8.1, however, defines a first-come-first-served registration policy for these schemes. In light of the observation made in section 2, can you explain why this policy was chosen?

Section 3.5 has the following instructions for Cancel-Key validators:

  To process the authentication, the received article must contain a
  Cancel-Key header field and the original article a Cancel-Lock header
  field.  If this is not the case, the authentication is not possible
  (failed).

A literal reading of this is that: if I get a cancellation with a "Cancel-Key" in it, but the corresponding article has no "Cancel-Lock," then authentication fails and the article is *not* canceled. This seems to have some unfortunate failure modes when injectors transition from not using this mechanism to using it: since the generation of the key K is performed statelessly, the injector will not know whether an article originally contained a "Cancel-Lock," and will therefore insert a "Cancel-Key" into the cancelling article. If the original article was injected before the cancel lock mechanism was activated, this would then cause the cancellation to fail. Is that the intention?

Finally, it may be worth including some information about how rotation of the secret used to generate the various keys K might be achieved.
2017-09-26
06 Adam Roach [Ballot Position Update] New position, No Objection, has been recorded for Adam Roach
2017-09-26
06 Warren Kumari
[Ballot comment]
I have some comments and nits, but please keep in mind that I'm really not a new expert, so apologies if some of …
[Ballot comment]
I have some comments and nits, but please keep in mind that I'm really not a new expert, so apologies if some of these are obvious.

Section 1.  Introduction
"or injecting agent that processed the original article has required to withdraw it via the use of a cancel control article"
I think that this is actually "requested", not "required" --AFAICT, the person doing this cannot really enforce that this is done, and so the best that they can do is request that this happens. Or, if they really can, perhaps "... that processed the original article is withdrawing it via the use of a cancel control article".

"One property of this system is that it prevents tracking of individual users" - I disagree. This method / technique itself doesn't prevent tracking of individual users -- what it does (as far as I understand) is allow users to cancel / supersede / etc postings without being tracked if they choose to use this.

Section 2.1.  Cancel-Lock
This is hard to follow without examples -- please mention that there *are* examples further in the doc; they are helpful, but only if you know they exist :-)

"Comments in CFWS can cause interoperability problems" -- please expand CFWS (perhaps a link to RFC 5322 Section 3.2.2 ?)

Section 3. Use
"This  secret strings can" s/This/These (plural)

"An injecting agent acts representitive "  - perhaps "acting as representative" or "acts as the". Also, representitive is misspelled I think (also in S3.1)

"Other agents MUST NOT add this header field to articles or proto- articles that they process."  -- OK, but what if they do?  What if the injecting agent / moderator *doesn't* do add this, but someone else does? Can they then cancel the posting when they otherwise wouldn't be able to? (As I said, I have no idea how new normally works, just wondering if allows an external party to escalate privileges).

Section 5.1:
"Example data for creation of a  element with HMAC-SHA256 and  empty string as  (as suggested in Section 4 for posting agents):
      Message-ID: <12345@mid.example>"
Is the message-ID strongly tied to the article? E.g can an attacker somehow attach a message ID (from A) to a different body / article (from B), and then when A gets cancelled, use this to also cancel B? Just like above, I really have no idea how Message-IDs are generated / used, so a simple "No, that's stupid!" is fine :-))

Just like above, mentioning that the examples exist would be helpful higher up in the document.
2017-09-26
06 Warren Kumari [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari
2017-09-26
06 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2017-09-26
06 Gunter Van de Velde Request for Telechat review by OPSDIR is assigned to Joel Jaeggli
2017-09-26
06 Gunter Van de Velde Request for Telechat review by OPSDIR is assigned to Joel Jaeggli
2017-09-25
06 Amanda Baber IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed
2017-09-25
06 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2017-09-25
06 Alexey Melnikov
[Ballot comment]
The GenArt ABNF issue was resolved by posting in erratum on RFC 5536. A small tweak to the ABNF in this document …
[Ballot comment]
The GenArt ABNF issue was resolved by posting in erratum on RFC 5536. A small tweak to the ABNF in this document is needed to match. I suggest the following RFC Editor Note:

Replace the first 3 paragraphs at the beginning of Section 2:

OLD:

  This section describes the formal syntax of the new header fields
  using ABNF [RFC5234].  It extends the syntax in Section 3 of
  [RFC5536] and non-terminals not defined in this document are defined
  there.  The [RFC5536] ABNF should be imported first before attempting
  to validate these rules.

  The new header fields Cancel-Lock and Cancel-Key are defined by this
  document, they follow the rules described in [RFC5536] Section 2.2:

      fields =/ *( cancel-lock / cancel-key )

NEW:

  This section describes the formal syntax of the new header fields
  using ABNF [RFC5234].  It extends the syntax in Section 3 of
  [RFC5536] and non-terminals not defined in this document are defined
  there.

  The new header fields Cancel-Lock and Cancel-Key are defined by this
  document, extended the list of article header fields defined in in [RFC5536].
2017-09-25
06 Alexey Melnikov Ballot comment text updated for Alexey Melnikov
2017-09-24
06 Eric Rescorla
[Ballot discuss]
The proper use of HMAC as a KDF is to have the secret value be used as the key and the public value …
[Ballot discuss]
The proper use of HMAC as a KDF is to have the secret value be used as the key and the public value used as the value, not the other way around. Even then, it would be better to use HKDF.
2017-09-24
06 Eric Rescorla
[Ballot comment]
Line 225
  secret strings can later be used to authenticate a cancel or
  supersede request.
This document would be easier to …
[Ballot comment]
Line 225
  secret strings can later be used to authenticate a cancel or
  supersede request.
This document would be easier to read if this section was earlier up. I had to kind of infer that you were sending hashes and then using preimages to cancel.


Line 235
  o  An injecting agent acts representitive for posting agents without
      support for the autentication system described in this document.
This is ungrammatical.


Line 236
  o  An injecting agent acts representitive for posting agents without
      support for the autentication system described in this document.
Nit: authentication.


Line 239
  o  A news administrator wants the ability to cancel articles that
      were injected by its system (because they e.g. violate its abuse
      policy).
Nit: "e.g." has a trailing comma and also needs a real phrase afterwards as in "e.g., they violate"


Line 252
  If an injecting agent (or moderator) wants to act representitive for
  a posting agent without support for the authentication system
See above.


Line 358
      K = HMAC(uid+mid, sec)
IMPORTANT: The proper use of HMAC as a PRF is to have the secret value be used as the key and the public value used as the value, not the other way around.

Line 380
  In general every agent must not use the same secret  if multiple
    elements are added.
Why don't you instead generate this as:

HMAC(sec, uid || mid || scheme).

Line 384
  size of the hash function that is used by HMAC (256 bit / 32 octets
  for SHA256) and must be a random value.
This should state "cryptographically random" and cite RFC 4086.

Also, I don't understand the requirement to have a minimum length of the size of the hash. That's not an HMAC requirement and doesn't make sense if you're not coupling it to the shash you are using.


Line 647
  recommendations remain in the document, or does an RFC exist to refer
  to with regards to security recommendations? ]]
I don't see where these values would come from. The size should be orthogonal to the hash function, and if you did want to match it, should be the same size. also, you need to cite RFC 4086 here too.
2017-09-24
06 Eric Rescorla [Ballot Position Update] New position, Discuss, has been recorded for Eric Rescorla
2017-09-24
06 Alexey Melnikov
[Ballot comment]
The GenArt ABNF issue was resolved by posting in erratum on RFC 5536. A small tweak to the ABNF in this document …
[Ballot comment]
The GenArt ABNF issue was resolved by posting in erratum on RFC 5536. A small tweak to the ABNF in this document is needed to match. I most likely handle it as an RFC Editor Note.
2017-09-24
06 Alexey Melnikov Ballot comment text updated for Alexey Melnikov
2017-09-24
06 Alexey Melnikov IESG state changed to IESG Evaluation from Waiting for Writeup::AD Followup
2017-09-24
06 Alexey Melnikov Ballot has been issued
2017-09-24
06 Alexey Melnikov [Ballot Position Update] New position, Yes, has been recorded for Alexey Melnikov
2017-09-24
06 Alexey Melnikov Created "Approve" ballot
2017-09-24
06 Alexey Melnikov Ballot writeup was changed
2017-09-21
06 Paul Kyzivat Request for Telechat review by GENART Completed: On the Right Track. Reviewer: Paul Kyzivat.
2017-09-20
06 Tero Kivinen Request for Telechat review by SECDIR is assigned to David Mandelberg
2017-09-20
06 Tero Kivinen Request for Telechat review by SECDIR is assigned to David Mandelberg
2017-09-20
06 Gunter Van de Velde Closed request for Last Call review by OPSDIR with state 'No Response'
2017-09-14
06 Jean Mahoney Request for Telechat review by GENART is assigned to Paul Kyzivat
2017-09-14
06 Jean Mahoney Request for Telechat review by GENART is assigned to Paul Kyzivat
2017-09-13
06 (System) Sub state has been changed to AD Followup from Revised ID Needed
2017-09-13
06 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2017-09-13
06 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-06.txt
2017-09-13
06 (System) New version approved
2017-09-13
06 (System) Request for posting confirmation emailed to previous authors: Michael Bauerle
2017-09-13
06 Michael Bäuerle Uploaded new revision
2017-09-13
05 Alexey Melnikov Placed on agenda for telechat - 2017-09-28
2017-07-21
05 Alexey Melnikov Removed from agenda for telechat
2017-07-03
05 Alexey Melnikov Telechat date has been changed to 2017-08-03 from 2017-07-06
2017-07-03
05 Alexey Melnikov SecDir and Gen-Art reviews need a revision (or at least a reply).
2017-07-03
05 Alexey Melnikov IESG state changed to Waiting for Writeup::Revised I-D Needed from Waiting for Writeup
2017-07-03
05 Alexey Melnikov Changed consensus to Yes from Unknown
2017-06-28
05 (System) IESG state changed to Waiting for Writeup from In Last Call
2017-06-23
05 Paul Kyzivat Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Paul Kyzivat.
2017-06-22
05 (System) IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed
2017-06-22
05 Sabrina Tanamal
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-baeuerle-netnews-cancel-lock-05.txt. If any part of this review is inaccurate, please let …
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-baeuerle-netnews-cancel-lock-05.txt. If any part of this review is inaccurate, please let us know.

The IANA Services Operator understands that, upon approval of this document, there are two actions which we must complete.

First, in the Provisional Message Header Field Names registry on the Message Headers registry page located at:

https://www.iana.org/assignments/message-headers/

two early registrations will have their registrations made permanent by changing the references to: [ RFC-to-be ]

These are:

Cancel-Key
Cancel-Lock

Second, a new registry is to be created called the Netnews Cancel-Lock hash algorithm registry.

The new registry will be a new entry on the IANA matrix. IANA notes that the authors suggest that the new reigstry be made available at .

New entries in the registry are to be created through First Come, First Serverd as defined in [ RFC 5226 ]. In section 8.1, the authors provide a template for registration of new algorithms.

There are initial registrations in the new registry as follows:
-------+----------------+--------------+-----------------------------------------------------
Name Usage: Reference: Note:
-------+----------------+--------------+-----------------------------------------------------
md5 OBSOLETE [ RFC-to-be ] Do not use this algorithm anymore
sha1 LIMITED USE [ RFC-to-be ] This algorithm is intended for backward compatibility
sha224 LIMITED USE [ RFC-to-be ] sha256 should be used instead, this is a truncated variant of it
sha256 COMMON [ RFC-to-be ] This algorithm is mandatory to implement
sha384 LIMITED USE [ RFC-to-be ] sha512 should be used instead, this is a truncated variant of it
sha512 COMMON [ RFC-to-be ] This algorithm is optional


The IANA Services Operator understands that these two actions are the only ones required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI
2017-06-15
05 Tero Kivinen Request for Last Call review by SECDIR Completed: Not Ready. Reviewer: David Mandelberg.
2017-06-06
05 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Niclas Comstedt
2017-06-06
05 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Niclas Comstedt
2017-06-03
05 Alexey Melnikov Placed on agenda for telechat - 2017-07-06
2017-06-02
05 Tero Kivinen Request for Last Call review by SECDIR is assigned to David Mandelberg
2017-06-02
05 Tero Kivinen Request for Last Call review by SECDIR is assigned to David Mandelberg
2017-06-01
05 Jean Mahoney Request for Last Call review by GENART is assigned to Paul Kyzivat
2017-06-01
05 Jean Mahoney Request for Last Call review by GENART is assigned to Paul Kyzivat
2017-05-31
05 Amy Vezza IANA Review state changed to IANA - Review Needed
2017-05-31
05 Amy Vezza
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC: draft-baeuerle-netnews-cancel-lock@ietf.org, alexey.melnikov@isode.com, julien@trigofacile.com, =?utf-8?q?Julien_=C3=89LIE?=
Reply-To: ietf@ietf.org
Sender:
Subject: …
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC: draft-baeuerle-netnews-cancel-lock@ietf.org, alexey.melnikov@isode.com, julien@trigofacile.com, =?utf-8?q?Julien_=C3=89LIE?=
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Cancel-Locks in Netnews articles) to Proposed Standard


The IESG has received a request from an individual submitter to consider
the following document:
- 'Cancel-Locks in Netnews articles'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-06-28. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document defines an extension to the Netnews Article Format that
  may be used to authenticate the cancelling and superseding of
  existing articles.  If approved, this document updates RFC5537.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-baeuerle-netnews-cancel-lock/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-baeuerle-netnews-cancel-lock/ballot/


No IPR declarations have been submitted directly on this I-D.




2017-05-31
05 Amy Vezza IESG state changed to In Last Call from Last Call Requested
2017-05-31
05 Alexey Melnikov Last call was requested
2017-05-31
05 Alexey Melnikov Last call announcement was generated
2017-05-31
05 Alexey Melnikov Ballot approval text was generated
2017-05-31
05 Alexey Melnikov Ballot writeup was generated
2017-05-31
05 Alexey Melnikov IESG state changed to Last Call Requested from AD Evaluation::AD Followup
2017-05-31
05 Alexey Melnikov My AD review comments were addressed.
2017-05-31
05 Alexey Melnikov Notification list changed to =?utf-8?q?Julien_=C3=89LIE?= <julien@trigofacile.com>
2017-05-31
05 Alexey Melnikov Document shepherd changed to Julien ÉLIE
2017-05-31
05 (System) Sub state has been changed to AD Followup from Revised ID Needed
2017-05-31
05 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-05.txt
2017-05-31
05 (System) New version approved
2017-05-31
05 (System) Request for posting confirmation emailed to previous authors: =?utf-8?q?Michael_B=C3=A4uerle?=
2017-05-31
05 Michael Bäuerle Uploaded new revision
2017-05-30
04 Alexey Melnikov IESG state changed to AD Evaluation::Revised I-D Needed from AD Evaluation
2017-05-30
04 Alexey Melnikov
My AD review:

You point to Section 6.8  of [RFC2045] for Base64 reference. Please update it to Section 4 of RFC 4648. …
My AD review:

You point to Section 6.8  of [RFC2045] for Base64 reference. Please update it to Section 4 of RFC 4648.

In Section 3.1: First thing you need to do is explain the purpose of the header field. One or two sentences should suffice.
I only figured out the purpose once I got to examples, so this is not great for readers not familiar with technology.

In Section 3.3: As above, please add a quick explanation of the purpose of the header field.

In Section 3.5:

1.  The  part of the  element is hashed using the
      algorithm defined by its  part.

is not defined anywhere else in the document. I think you meant  from Section 2.2.

In Section 4:

  This section is informative, not normative.

Should the algorithm described be at least RECOMMENDED? If you don't think so, I think saying here why this section is only informative is going to be helpful.

In Section 7:

Is guessing of MID for messages to be posted and cut & pasting it into a Cancel article a plausible security concern?


In Section 8.2:

  The IESG is considered to be the owner of all Netnews Cancel-Lock  hash algorithms that are on the IETF Standards Track.

I was looking for this text in Section 8.1. Is it worth also saying this in 8.1?
2017-05-30
04 Alexey Melnikov
Shepherd Write-Up (Date: 2017-05-17)
draft-baeuerle-netnews-cancel-lock-04


1) Type of RFC
==============
The intended category of this document will be "Standards Track".
The intended status of this …
Shepherd Write-Up (Date: 2017-05-17)
draft-baeuerle-netnews-cancel-lock-04


1) Type of RFC
==============
The intended category of this document will be "Standards Track".
The intended status of this document will be "Proposed Standard".

This is the proper type of RFC because this document specifies a
long-standing authentication system that has been in use for more than
20 years with regards to Netnews articles.



2) Document Announcement Write-Up
=================================

Technical Summary
-----------------
This document defines an extension to the Netnews Article Format that
may be used to authenticate the cancelling and superseding of existing
articles.  If approved, this document updates RFC 5537.


Working Group Summary
---------------------
The draft was reviewed by a few NNTP and Netnews experts in
and .


Document Quality
----------------
Implementations of the mechanism already exist, like the canlock C
library or Perl hooks available for news servers.
News clients like Gnus, flnews, slrn or tin natively implement it.

Document Shepherd: Julien Elie
Responsible Area Director: Alexey Melnikov



3) Briefly describe the review of this document
===============================================
I have reviewed the document and checked that it correctly describes the
behaviour of existing implementations.  I reckon it is ready for
publication.



4) Shepherd concerns
====================
No concerns.



5) Further document review
==========================
Two questions (in Sections 4 and 7) are inline in the document for the
Security directorate review.  They were risen during discussions about
the document and just await for the validation by the Security directorate.



6) Document issues
==================
No issues (beyond the two remaining minor questions for the Security
directorate).



7) IPR disclosures
==================
The author confirmed that there is no IPR involved.



8) Has an IPR disclosure been filed that references this document?
==================================================================
Nothing known.



9) Consensus of the interested community behind this document?
==============================================================
There is consensus that the work Simon Lyall began in 1998 in
draft-ietf-usefor-cancel-lock should be updated to current usage and
standardized.  It will help future implementers.

At the same time, the insecure MD5 algorithm is phased out.  A IANA
registry is created to permit new algorithm names to be easily reserved
and used with this mechanism.



10) Has anyone threatened an appeal or indicated extreme discontent?
====================================================================
No.



11) ID nits
===========
== Too long line in Section 5.2

Maybe rewrite "uid+mid used as data, sec as secret key" as "uid+mid is
data, sec is secret key"?


== The document seems to contain a disclaimer for pre-RFC5378 work [...]
If you are able to get all authors (current and original) to grant those
rights, you can and should remove the disclaimer

I think Simon is still answering his mails.  He should be asked whether
he is willing to grant his rights so that the final document can be
released without the disclaimer.  Of course, if he does not want to, the
disclaimer should remain.


== Possible downref: Non-RFC (?) normative reference: ref. 'SHA'

As the "sha256" scheme is mandatory to implement, a reference to its
definition should be normative.
I suggest to move [SHA] to informative, and [RFC6234] (specifying
SHA-256) to normative.  Though RFC 6234 is Informational, it is present
in the Downref registry , so
it is fine.




12) Required formal review criteria
===================================
N/A.



13) Identification of all references as either normative or informative?
========================================================================
Yes.



14) Normative references to documents not ready for advancement?
================================================================
None.



15) Are there downward normative references (see RFC 3967)?
======================================================================
With RFC 6234 in the normative Section (see my previous comment in
question 11), it is a downref, already present in the Downref registry.



16) Status change of any existing RFCs?
=======================================
It updates RFC 5537 as noted in the title page header, listed in the
Abstract, and discussed in the Introduction.



17) Document Shepherd's review of the IANA Considerations Section
=================================================================
The IANA Considerations Section is consistent with the body of the
document.  The two new header field names and the four new algorithm
names are properly associated with a reservation in IANA registries.
The two referenced IANA registries are clearly identified.  The initial
contents of the algorithm names registry is detailed; allocation
procedures for future registrations are defined, and the name for the
registry is reasonable.



18) IANA registries that require Expert Review for future allocations
=====================================================================
None.


19) Reviews and automated checks performed to validate formal languages
=======================================================================
No automated checks, only a manual review.
2017-05-30
04 Alexey Melnikov IESG state changed to AD Evaluation from Publication Requested
2017-05-07
04 Alexey Melnikov Assigned to Applications and Real-Time Area
2017-05-07
04 Alexey Melnikov Responsible AD changed to Alexey Melnikov
2017-05-07
04 Alexey Melnikov Intended Status changed to Proposed Standard
2017-05-07
04 Alexey Melnikov IESG process started in state Publication Requested
2017-05-07
04 (System) Earlier history may be found in the Comment Log for /doc/draft-ietf-usefor-cancel-lock/
2017-05-07
04 Alexey Melnikov Stream changed to IETF from None
2017-04-10
04 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-04.txt
2017-04-10
04 (System) New version approved
2017-04-10
04 (System) Request for posting confirmation emailed to previous authors: =?utf-8?q?Michael_B=C3=A4uerle?=
2017-04-10
04 Michael Bäuerle Uploaded new revision
2017-03-27
03 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-03.txt
2017-03-27
03 (System) New version approved
2017-03-27
03 (System) Request for posting confirmation emailed to previous authors: =?utf-8?q?Michael_B=C3=A4uerle?=
2017-03-27
03 Michael Bäuerle Uploaded new revision
2017-03-10
02 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-02.txt
2017-03-10
02 (System) New version approved
2017-03-10
02 (System) Request for posting confirmation emailed to previous authors: =?utf-8?q?Michael_B=C3=A4uerle?=
2017-03-10
02 Michael Bäuerle Uploaded new revision
2017-03-08
01 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-01.txt
2017-03-08
01 (System) New version approved
2017-03-08
01 (System) Request for posting confirmation emailed to previous authors: =?utf-8?q?Michael_B=C3=A4uerle?=
2017-03-08
01 Michael Bäuerle Uploaded new revision
2017-03-06
00 Cindy Morgan This document now replaces draft-ietf-usefor-cancel-lock instead of None
2017-03-06
00 Cindy Morgan Reviewed suggested replacement relationships: draft-ietf-usefor-cancel-lock
2017-03-06
00 (System) Added suggested replacement relationships: draft-ietf-usefor-cancel-lock
2017-03-06
00 (System) This document now replaces None instead of None
2017-03-06
00 Michael Bäuerle New version available: draft-baeuerle-netnews-cancel-lock-00.txt
2017-03-06
00 (System) New version approved
2017-03-06
00 Michael Bäuerle Request for posting confirmation emailed  to submitter and authors: =?utf-8?q?Michael_B=C3=A4uerle?=
2017-03-06
00 Michael Bäuerle Uploaded new revision