Last Call Review of draft-ietf-precis-7613bis-07
review-ietf-precis-7613bis-07-secdir-lc-salowey-2017-06-25-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is document is ready with nits.

This document is an update to RFC 7613.   A few Minor comments:

1.  I think it would be good to show the zero-length password is not allowed in
table 4 (18 | <> | zero-length password).   There are lots of cases where
allowing zero-length passwords has led to problems.  Disallowing zero-length
passwords is helpful.

2.  Comparisons of passwords is a touchy subject.   I can't think of a case
where it would be preferable to do a direct password comparison.   In most
cases the comparison will be done against a salted-hashed transform of the
password or involve some other cryptographic operation.   I think it would be
good to discuss this briefly in the security considerations section, sample
text below

"Password Comparison

Verification of passwords during authentication will not use the comparison
defined in section 4.2.3.   Instead cryptographic calculations are performed to
verify the password.   In most cases the password will be prepared as in
section 4.2.1 and meet the rules enforced in section 4.2.2 before the
calculations are performed."