Last Call Review of draft-ietf-httpbis-unprompted-auth-10
review-ietf-httpbis-unprompted-auth-10-genart-lc-enghardt-2024-09-09-00
Request | Review of | draft-ietf-httpbis-unprompted-auth |
---|---|---|
Requested revision | No specific revision (document currently at 12) | |
Type | Last Call Review | |
Team | General Area Review Team (Gen-ART) (genart) | |
Deadline | 2024-09-11 | |
Requested | 2024-08-28 | |
Authors | David Schinazi , David Oliver , Jonathan Hoyland | |
I-D last updated | 2024-09-09 | |
Completed reviews |
Secdir Last Call review of -10
by Rich Salz
(diff)
Genart Last Call review of -10 by Reese Enghardt (diff) Opsdir Last Call review of -10 by Ran Chen (diff) Artart Last Call review of -10 by Robert Sparks (diff) |
|
Assignment | Reviewer | Reese Enghardt |
State | Completed | |
Request | Last Call review on draft-ietf-httpbis-unprompted-auth by General Area Review Team (Gen-ART) Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/gen-art/DI5b7yhHiVWHYIU6rUDbitjunHA | |
Reviewed revision | 10 (document currently at 12) | |
Result | Ready w/nits | |
Completed | 2024-09-09 |
review-ietf-httpbis-unprompted-auth-10-genart-lc-enghardt-2024-09-09-00
I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <https://wiki.ietf.org/en/group/gen/GenArtFAQ>. Document: draft-ietf-httpbis-unprompted-auth-10 Reviewer: Reese Enghardt Review Date: 2024-09-09 IETF LC End Date: 2024-09-11 IESG Telechat date: Not scheduled for a telechat Summary: The document is fairly clear and concise. I have a few suggestions to make the document more accessible. Major issues: None. Minor issues: Section 1: "Members of less well-defined communities might use more ephemeral keys to acquire access to geography- or capability-specific resources, as issued by an entity whose user base is larger than the available resources can support (by having that entity metering the availability of keys temporally or geographically)." Does this sentence introduce a new use case that is separate from the company use case described in the previous sentence, or is it a similar use case but under different circumstances? It is not quite clear to me what a "member of a less well-defined community" is, I assume "less well-defined than employees of a company"? Are users within a certain geography or with devices with specific capabilities an example? What does "larger than the available resources can support" mean here, is this part tied to the new use case or circumstances described before? Please consider rephrasing this sentence to make it clearer. Section 2: As a non-expert, I would appreciate a high-level description of the entire flow here. The client generates the data to be signed and then sends the signature, and the details are in Sections 3 and 4, but what happens afterwards? Please consider adding one or two sentences to explain the basic principle of how the scheme works, i.e., how the server is then able to authenticate the client. Section 5: As this section is titled "Example", I expected a full example of the scheme, but it looks like this is just an example of a request. Please consider turning this section into a full example of how the scheme works, potentially moving it to after Section 6. Nits/editorial comments: None.