Early Review of draft-ietf-httpbis-p7-auth-
review-ietf-httpbis-p7-auth-secdir-early-kent-2012-08-24-00
| Request | Review of | draft-ietf-httpbis-p7-auth |
|---|---|---|
| Requested revision | No specific revision (document currently at 26) | |
| Type | Early Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2013-12-17 | |
| Requested | 2012-08-15 | |
| Authors | Roy T. Fielding , Julian Reschke | |
| I-D last updated | 2012-08-24 | |
| Completed reviews |
Genart Last Call review of -24 by Kathleen Moriarty
(diff)
Genart Telechat review of -25 by Kathleen Moriarty (diff) Secdir Early review of -?? by Stephen Kent Secdir Last Call review of -24 by Stephen Kent (diff) |
|
| Assignment | Reviewer | Stephen Kent |
| State | Completed | |
| Request | Early review on draft-ietf-httpbis-p7-auth by Security Area Directorate Assigned | |
| Result | Ready w/nits | |
| Completed | 2012-08-24 |
review-ietf-httpbis-p7-auth-secdir-early-kent-2012-08-24-00
I
reviewed this document as part of the security directorate's
ongoing effort to
review all IETF documents being processed by the IESG.
These comments were written
primarily for the
benefit of the security area directors.
Document editors and WG chairs should treat these
comments just like any
other last call comments.
This is a
fairly brief
document: 18 pages including appendices. The Abstract says that
this document “…defines
the HTTP Authentication framework” but the Introduction expands
the description,
saying that it “ describes HTTP/1.1 access control and
authentication.” I
suggest the introduction be changed to match the abstract,
especially since the
principal focus of the document is authentication. There are
several places
where the term “authorization” is used. In many contexts, this
term is a
synonym for access control. However, in this context it seems to
be used almost
interchangeably with “authentication” in most places. I suspect
the terminology
choice arises for historical reasons, but it might be helpful to
explicitly
note this, where applicable.
The
introduction says that
it includes “the relevant parts of RFC 2616 with only minor
changes ([RFC2616]),
plus the general framework for HTTP authentication, as
previously defined in
"HTTP Authentication: Basic and Digest Access Authentication"
([RFC2617]).” The document updates RFC 2617, and obsoletes RFC
2616. It
includes an appendix that describes the differences between this
document and
(the relevant portions) of 2616 and 2617.
I’m not sure
whether the
use of lowercase “ought” in four places in Section 2.3.1 is
intended to express
a new level of IETF standards compliance,
perhaps filling the gap between MAY and SHOULD
;-)
.
I like the
fact that the
Security Considerations section addresses implementation issues,
since the
document, overall, addresses security. Only two topics are
discussed here, but
both seem relevant. I am surprised that there is no mention of
using HTTPS, to
protect the most commonly used credentials, i.e., passwords.