#536 closed editorial (incorporated)
IESG ballot on draft-ietf-httpbis-p7-auth-25
Reported by: | julian.reschke@… | Owned by: | draft-ietf-httpbis-p7-auth@… |
---|---|---|---|
Priority: | normal | Milestone: | 26 |
Component: | p7-auth | Severity: | In IESG Evaluation |
Keywords: | Cc: |
Description (last modified by fielding@…)
Jari Arkko
Comment (2013-12-19)
Kathleen Moriarty made a Gen-ART review which raised comments which I believe would be useful to consider (but we've not seen a reply yet).
this is a copy of #522
Richard Barnes
Comment (2013-12-18)
COMMENT 1: In Section 3.1, suggest clarifying:
OLD: "The origin server MUST send a WWW-Authenticate ... target resource."
NEW: "The origin server MUST send a WWW-Authenticate ... target resource. (If the server is unwilling to grant access for any credentials, it should instead use the 403 (Forbidden) status code.)" -- we already say that in 2.1: A server receiving credentials that are valid, but not adequate to gain access, ought to respond with the 403 (Forbidden) status code (Section 6.5.3 of [Part2]).
Sean Turner
Comment (2013-12-19)
*) I'll not repeats the OWS discuss point from p1. If it gets changed there I assume it will get changed here. If not then this can be ignored. -- see #537
0) Abstract: Maybe would add stateless in front of protocol in the description. -- see #538
1) So I guess the reason we're not saying TLS is an MTI with basic/digest is that that's getting done in an httpauth draft? It really wouldn't hurt to duplicate that while we're getting the other one done (I know you *don't* want a reference to that draft). -- see #539
Stephen Farrell
Comment (2013-12-18)
2.2: shouldn't there be some mention of how realms map to web-origins here? I don't necessarily mean in a normative manner, but to explain. -- They do not map to web origins directly; we discussed whether to ref the Origin spec but decided not to; see #322
4.2: I didn't find the description of chains of proxies very clear. An example would help I think. Although it looks like chains of proxies all doing 407 are not very well defined - is that fair? -- fixed in [2558]
Please check the secdir review. (http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I agree with the comment that this really should have some mention of using TLS to protect basic/digest, even if that ought also be elsewhere. -- see #539
Change History (16)
comment:1 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:2 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:3 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:4 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:5 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:6 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:7 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:8 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:9 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:10 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:11 Changed 9 years ago by julian.reschke@…
- Description modified (diff)
comment:12 Changed 9 years ago by julian.reschke@…
- Resolution set to incorporated
- Status changed from new to closed
- Type changed from design to editorial
comment:13 Changed 8 years ago by fielding@…
comment:14 Changed 8 years ago by fielding@…
comment:16 Changed 8 years ago by fielding@…
- Description modified (diff)
From [2558]:
(editorial) rephrase the description of proxy chaining in Proxy-Authenticate; see #522 and #536