Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#536 closed editorial (incorporated)

IESG ballot on draft-ietf-httpbis-p7-auth-25

Reported by: julian.reschke@… Owned by: draft-ietf-httpbis-p7-auth@…
Priority: normal Milestone: 26
Component: p7-auth Severity: In IESG Evaluation
Keywords: Cc:

Description (last modified by fielding@…)

Jari Arkko

Comment (2013-12-19)

Kathleen Moriarty made a Gen-ART review which raised comments which I believe would be useful to consider (but we've not seen a reply yet).

this is a copy of #522


Richard Barnes

Comment (2013-12-18)

COMMENT 1: In Section 3.1, suggest clarifying:

OLD: "The origin server MUST send a WWW-Authenticate ... target resource."

NEW: "The origin server MUST send a WWW-Authenticate ... target resource. (If the server is unwilling to grant access for any credentials, it should instead use the 403 (Forbidden) status code.)" -- we already say that in 2.1: A server receiving credentials that are valid, but not adequate to gain access, ought to respond with the 403 (Forbidden) status code (Section 6.5.3 of [Part2]).


Sean Turner

Comment (2013-12-19)

*) I'll not repeats the OWS discuss point from p1. If it gets changed there I assume it will get changed here. If not then this can be ignored. -- see #537

0) Abstract: Maybe would add stateless in front of protocol in the description. -- see #538

1) So I guess the reason we're not saying TLS is an MTI with basic/digest is that that's getting done in an httpauth draft? It really wouldn't hurt to duplicate that while we're getting the other one done (I know you *don't* want a reference to that draft). -- see #539


Stephen Farrell

Comment (2013-12-18)

2.2: shouldn't there be some mention of how realms map to web-origins here? I don't necessarily mean in a normative manner, but to explain. -- They do not map to web origins directly; we discussed whether to ref the Origin spec but decided not to; see #322

4.2: I didn't find the description of chains of proxies very clear. An example would help I think. Although it looks like chains of proxies all doing 407 are not very well defined - is that fair? -- fixed in [2558]

Please check the secdir review. (http://www.ietf.org/mail-archive/web/secdir/current/msg03491.html) I agree with the comment that this really should have some mention of using TLS to protect basic/digest, even if that ought also be elsewhere. -- see #539

Change History (16)

comment:1 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:2 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:3 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:4 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:5 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:6 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:7 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:8 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:9 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:10 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:11 Changed 6 years ago by julian.reschke@…

  • Description modified (diff)

comment:12 Changed 6 years ago by julian.reschke@…

  • Resolution set to incorporated
  • Status changed from new to closed
  • Type changed from design to editorial

comment:13 Changed 6 years ago by fielding@…

From [2558]:

(editorial) rephrase the description of proxy chaining in Proxy-Authenticate; see #522 and #536

comment:14 Changed 6 years ago by fielding@…

From [2575]:

(editorial) move requirements specific to a given header field to where the field is defined; properly target requirements to roles; see #536

comment:15 Changed 6 years ago by fielding@…

  • Description modified (diff)

fix trac syntax

comment:16 Changed 6 years ago by fielding@…

  • Description modified (diff)
Note: See TracTickets for help on using tickets.