Early Review of draft-ietf-httpbis-p7-auth-
review-ietf-httpbis-p7-auth-secdir-early-kent-2012-08-24-00

Request Review of draft-ietf-httpbis-p7-auth
Requested rev. no specific revision (document currently at 26)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2013-12-17
Requested 2012-08-15
Other Reviews Genart Last Call review of -24 by Kathleen Moriarty (diff)
Genart Telechat review of -25 by Kathleen Moriarty (diff)
Secdir Last Call review of -24 by Stephen Kent (diff)
Review State Completed
Reviewer Stephen Kent
Review review-ietf-httpbis-p7-auth-secdir-early-kent-2012-08-24
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html
Review result Ready with Nits
Draft last updated 2012-08-24
Review completed: 2012-08-24

Review
review-ietf-httpbis-p7-auth-secdir-early-kent-2012-08-24















I
        reviewed this document as part of the security directorate's
        ongoing effort to
        review all IETF documents being processed by the IESG.

  

These comments were written
        primarily for the
        benefit of the security area directors.

 
        

Document editors and WG chairs should treat these
        comments just like any
        other last call comments.




 




This is a
        fairly brief
        document: 18 pages including appendices. The Abstract says that
        this document “…defines
        the HTTP Authentication framework” but the Introduction expands
        the description,
        saying that it “ describes HTTP/1.1 access control and
        authentication.” I
        suggest the introduction be changed to match the abstract,
        especially since the
        principal focus of the document is authentication. There are
        several places
        where the term “authorization” is used. In many contexts, this
        term is a
        synonym for access control. However, in this context it seems to
        be used almost
        interchangeably with “authentication” in most places. I suspect
        the terminology
        choice arises for historical reasons, but it might be helpful to
        explicitly
        note this, where applicable.




 




The
        introduction says that
        it includes “the relevant parts of RFC 2616 with only minor
        changes ([RFC2616]),
        plus the general framework for HTTP authentication, as
        previously defined in
        "HTTP Authentication: Basic and Digest Access Authentication"
        ([RFC2617]).” The document updates RFC 2617, and obsoletes RFC
        2616. It
        includes an appendix that describes the differences between this
        document and
        (the relevant portions) of 2616 and 2617.




 




I’m not sure
        whether the
        use of lowercase “ought” in four places in Section 2.3.1 is
        intended to express
        a new level of IETF standards compliance, 

perhaps filling the gap between MAY and SHOULD 

 ;-) 

.




 




I like the
        fact that the
        Security Considerations section addresses implementation issues,
        since the
        document, overall, addresses security. Only two topics are
        discussed here, but
        both seem relevant. I am surprised that there is no mention of
        using HTTPS, to
        protect the most commonly used credentials, i.e., passwords.