Telechat Review of draft-ietf-httpauth-scram-auth-12
review-ietf-httpauth-scram-auth-12-opsdir-telechat-chown-2015-12-22-00
Request | Review of | draft-ietf-httpauth-scram-auth |
---|---|---|
Requested revision | No specific revision (document currently at 15) | |
Type | Telechat Review | |
Team | Ops Directorate (opsdir) | |
Deadline | 2015-12-15 | |
Requested | 2015-11-29 | |
Authors | Alexey Melnikov | |
I-D last updated | 2015-12-22 | |
Completed reviews |
Genart Last Call review of -13
by Ralph Droms
(diff)
Genart Last Call review of -14 by Ralph Droms (diff) Secdir Telechat review of -11 by Russ Housley (diff) Opsdir Telechat review of -12 by Tim Chown (diff) |
|
Assignment | Reviewer | Tim Chown |
State | Completed | |
Request | Telechat review on draft-ietf-httpauth-scram-auth by Ops Directorate Assigned | |
Reviewed revision | 12 (document currently at 15) | |
Result | Has issues | |
Completed | 2015-12-22 |
review-ietf-httpauth-scram-auth-12-opsdir-telechat-chown-2015-12-22-00
Hi, I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. The context of this draft lies within the httpauth WG, which was chartered as a short-lived WG to produce Informational or Experimental status documents on improving user authentication schemes beyond plaintext passwords protected by TLS (as per the charter text at https://datatracker.ietf.org/wg/httpauth/charter/ ). This Experimental specification describes a family of HTTP authentication mechanisms called the Salted Challenge Response Authentication Mechanism (SCRAM), which claims to improve on the HTTP Digest authentication method and be more readily deployable. I note that the document mentions the ‘deployment obstacles’ of alternative methods, esp. HTTP Digest, but doesn’t discuss explicitly what these were, or why it is believed that SCRAM Auth will fare better. It may be useful to include a brief summary near the start of the document (though doing so could delay publication if the WG gas trouble agreeing on the precise wording for this, so it would likely need to be a high-level statement) . The draft has been through a large number (6) of relatively small updates in the past month. The update from -11 to -12 adds a statement at the end of the Security Considerations section stating that SHA-256 is the recommended hashing mechanism, over SHA-1 (which was the common mechanism described in RFC 5802). I believe a further edit is required here: change: " (e.g., SCRAM with a successor to SHA-1 may be preferred over SCRAM with SHA-1)." to: “(e.g. SCRAM with SHA-256 should be preferred over SCRAM with SHA-1).” otherwise the “may” and the “should” are in conflict. The final paragraph could then be moved up to immediately follow this paragraph. The update from -12 -13 changed the document status from Standards Track to Experimental, as required by the charter. The charter implies that mechanisms should be reviewed by the httpbis WG, to avoid clashes with work elsewhere, so it may be useful for the AD to ensure there is evidence of this having happened (obviously not required in the document itself). The charter also states that drafts produced within the WG should include a description of the mechanisms applicability, e.g. via use cases. There appears to be no such statement in the draft, perhaps because the applicability is broad. This could perhaps be clarified at the end of the Introduction section. The Nits tool reports a small number of nits, including an orphaned reference to RFC 5246. This should probably be cited in the first mention of TLS in the very first paragraph of the Introduction. Other than these minor comments, I believe the document is Ready. Tim