Telechat Review of draft-ietf-httpauth-digest-18
review-ietf-httpauth-digest-18-genart-telechat-dupont-2015-04-23-00
Request | Review of | draft-ietf-httpauth-digest |
---|---|---|
Requested revision | No specific revision (document currently at 19) | |
Type | Telechat Review | |
Team | General Area Review Team (Gen-ART) (genart) | |
Deadline | 2015-04-21 | |
Requested | 2015-04-09 | |
Authors | Rifaat Shekh-Yusef , David Ahrens , Sophie Bremer | |
I-D last updated | 2015-04-23 | |
Completed reviews |
Genart Last Call review of -15
by Francis Dupont
(diff)
Genart Telechat review of -18 by Francis Dupont (diff) Secdir Last Call review of -15 by Hilarie Orman (diff) Opsdir Last Call review of -15 by Scott O. Bradner (diff) |
|
Assignment | Reviewer | Francis Dupont |
State | Completed | |
Request | Telechat review on draft-ietf-httpauth-digest by General Area Review Team (Gen-ART) Assigned | |
Reviewed revision | 18 (document currently at 19) | |
Result | Ready | |
Completed | 2015-04-23 |
review-ietf-httpauth-digest-18-genart-telechat-dupont-2015-04-23-00
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-httpauth-digest-15.txt Reviewer: Francis Dupont Review Date: 20150402 IETF LC End Date: 20150402 IESG Telechat date: unknown Summary: Ready Major issues: None Minor issues: None Nits/editorial comments: I reviewed the 15 version but I can see the 16 one is already available so I'll try to update my comments. - first I was a bit surprised nobody just asked to jump to HTTPS (or HSTS) but reading the document it seems there are still good use of the digest authentication scheme... - 3.3 page 5: IMHO the "opaque" field is clearly a nonce (i.e., more a nonce than the "nonce" field) but I understand this was inherited from RFC 2617... - 3.3 page 7 (algorithm, twice) and some other places: e.g. -> e.g., - 3.3 page 7 (algorithm): I noted the algo protocol is still a keyed one vs. HMAC (cf. AH which switched from keyed to HMAC between RFC 1826 and RFC 2402) but I believed you have a good reason to do this (and the secdir will say if it is OK anyway). - 3.4.2 page 11: e.g. -> e.g., (again but this one is at the end of a line) - 3.4.2 page 11: cnounce -> cnonce - 3.4.2 page 11: the presentation of this definition is very misleading: A1 = H( unq(username) ":" unq(realm) ":" passwd ) ":" unq(nonce-prime) ":" unq(cnonce-prime) I strongly suggest something like: A1 = H( unq(username) ":" unq(realm) ":" passwd ) ":" unq(nonce-prime) ":" unq(cnonce-prime) - 3.4.2 page 11: the server need only use ^ needs - 3.5 page 14: affects -> effects - 5.2 page 21: this information need not be decrypted ^ needs - 6.1 page 27: can you instantiate the RFC XXX: MD5: RFC 1321 SHA-256: FIPS 180-2 SHA-512/256: FIPS 180-4? - A page 30: negotitation -> negotiation Regards Francis.Dupont at fdupont.fr