HTTP Digest Access Authentication
draft-ietf-httpauth-digest-19
Yes
(Barry Leiba)
No Objection
(Alvaro Retana)
(Benoît Claise)
(Brian Haberman)
(Deborah Brungard)
(Jari Arkko)
(Martin Stiemerling)
(Spencer Dawkins)
Note: This ballot was opened for revision 18 and is now closed.
Barry Leiba Former IESG member
Yes
Yes
(for -18)
Unknown
Ben Campbell Former IESG member
Yes
Yes
(2015-04-21 for -18)
Unknown
Just a few minor comments: 3.3, domain: "If the URI is an abs_path..." Should that be "path-absolute", in keeping with the reference to 3986? 3.6, paragraph 4: "Because the client is REQUIRED to return..." The use of a 2119 keyword in a dependent clause seems odd. 5.1: "Digest authentication SHOULD be used over a secure channel like HTTPS" Does this mean that, if you have a secure channel you should use digest, or if you use digest you should use a a secure channel? I assume the second, but the sentence can be parsed either way.
Kathleen Moriarty Former IESG member
(was Discuss, Yes)
Yes
Yes
(2015-04-24)
Unknown
IANA questions have been addressed.
Stephen Farrell Former IESG member
Yes
Yes
(2015-04-21 for -18)
Unknown
I'm a yes on this, not because it's great technology (it just isn't;-), but because it is a valiant effort to do responsible updates to a scheme that is used somewhat. Thanks for doing the work. - The intro could usefully say that this extends but is generally backwards compatible with 2617 if you don't use any new stuff and include a pointer to appendix A as well. - p5, "nonce": "data string" is an odd combination - p6, "stale": Is "TRUE" the literal value? What if it's "1" or "y" - just wondering in case current code does something there. Section 3.3 (and elsewhere) uses "true" and "false" which aren't the same as TRUE and FALSE (or are they?) It'd be good to be consistent or to say that we're not being consistent, presumably for historical reasons. - end of 3.4: is there a specific section of 7234 that's most relevant? If so, good to say so. - 5.3, you could maybe add a reference to RFC7486 at the end of the 1st para (that is blatent self-advertisement, but I couldn't resist:-) - 5.6, is the "note" about Basic still true? I thought Julian or someone tested it and found it not quite so bad? - I think something went wrong with the secdir review [1] but I'd also encourage us to try to bottom out on Hilarie's comments. There may be something there that could be used, without any damage to backwards compatibility, which would be interesting. [1] https://www.ietf.org/mail-archive/web/secdir/current/msg05621.html
Alvaro Retana Former IESG member
No Objection
No Objection
(for -18)
Unknown
Benoît Claise Former IESG member
No Objection
No Objection
(for -18)
Unknown
Brian Haberman Former IESG member
No Objection
No Objection
(for -18)
Unknown
Deborah Brungard Former IESG member
No Objection
No Objection
(for -18)
Unknown
Jari Arkko Former IESG member
No Objection
No Objection
(for -18)
Unknown
Joel Jaeggli Former IESG member
No Objection
No Objection
(2015-04-19 for -18)
Unknown
testrealm.com is of course a domain that actually exists... testrealm.example.org/com would seem fine.
Martin Stiemerling Former IESG member
No Objection
No Objection
(for -18)
Unknown
Spencer Dawkins Former IESG member
No Objection
No Objection
(for -18)
Unknown
Terry Manderson Former IESG member
No Objection
No Objection
(2015-04-21 for -18)
Unknown
A simple comment to resolve, I would think - avoid using actual DNS domains. Please use example.com, or at least provide rational as to why example.com/net can't be used.