Last Call Review of draft-hansen-scram-sha256-02

Request Review of draft-hansen-scram-sha256
Requested rev. no specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-04-24
Requested 2015-04-02
Authors Tony Hansen
Draft last updated 2015-05-15
Completed reviews Genart Last Call review of -02 by Robert Sparks (diff)
Genart Last Call review of -03 by Robert Sparks (diff)
Genart Telechat review of -04 by Robert Sparks
Secdir Last Call review of -02 by Vincent Roca (diff)
Secdir Telechat review of -04 by Vincent Roca
Opsdir Last Call review of -02 by Mehmet Ersue (diff)
Assignment Reviewer Vincent Roca 
State Completed
Review review-hansen-scram-sha256-02-secdir-lc-roca-2015-05-15
Reviewed rev. 02 (document currently at 04)
Review result Has Issues
Review completed: 2015-05-15



I have reviewed this document as part of the security directorate’s ongoing

effort to review all IETF documents being processed by the IESG. These

comments were written primarily for the benefit of the security area

directors.  Document editors and WG chairs should treat these comments just

like any other last call comments.

Summary: ready with minor issues

This document records the SHA-256 variants of SCRAM SASL mechanisms.

As it complements RFC 5802, the authors refer to its security section:

   "The security considerations from [RFC5802] still apply."

I have no objection as RFC 5802 security section seems well documented

(I'm not an expert of the domain however).

That being said, I have two comments:

- there is no mention of the motivation for moving from SHA-1 to SHA-256.

  I think the security section is a nice place for that, and the authors can easily

  refer to RFC 4270 and RFC 6194 (there may be other references too that

  I’m not aware of).

- RFC 2119 is missing from the Normative References. Please add it.

   [R2119]  Bradner, S., "Key words for use in RFCs to Indicate

            Requirement Levels", BCP 14, RFC 2119, March 1997.

  I also think that RFC 4422 should be moved to the Normative References

  as it is a mandatory to read reference for the present document.






 Message signed with OpenPGP using GPGMail