Re: AD Review of draft-ietf-httpbis-unprompted-auth-09 from David Schinazi on 2024-08-28 (ietf-http-wg@w3.org from July to September 2024)

From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wed, 28 Aug 2024 10:36:15 -0700
To: Francesca Palombini <francesca.palombini@ericsson.com>
Cc: "draft-ietf-httpbis-unprompted-auth@ietf.org" <draft-ietf-httpbis-unprompted-auth@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAPDSy+7EN8U5Q1oEPwa5r_PhABErBeHrfq4ZkC4QpFcRr3UUtw@mail.gmail.com>

Hi Francesca, and thank you for the review!

I've addressed all your comments in this PR:
https://github.com/httpwg/http-extensions/pull/2885
Can you confirm that this works for you please?

Detailed responses inline.

On Wed, Aug 28, 2024 at 2:34 AM Francesca Palombini <
francesca.palombini@ericsson.com> wrote:

> # AD Review of draft-ietf-httpbis-unprompted-auth-09
>
>
>
> cc @fpalombini
>
>
>
> Thank you for this document, I found it very clear and easy to read. I
> only have one minor comment and some nits, you can take care of these at
> the same time as any other comments from IETF last call, which I will
> initiate now.
>
>
>
> Francesca
>
>
>
> ## Comments
>
>
>
> ### key exporter
>
>
>
> Section 3:
>
> > When a client wishes to uses the Concealed HTTP authentication scheme
> with a request, it SHALL compute the authentication proof using a TLS
> keying material exporter [KEY-EXPORT] with the following parameters:
>
>
>
> It is not clear to me if this doc uses the original RFC 5705 version (as
> referenced) or the updated construction by TLS 1.3 (Section 7.5 of RFC
> 8446). By the way it is referenced, and the way I interpret the "Update"
> header tag for RFCs, I'd assume 5705 - if my assumption is wrong, maybe
> some text (and an additional reference to TLS 1.3 in the sentence above)
> would help remove all ambiguity. Otherwise, has the working group
> considered using the TLS 1.3 exporter, rather than the RFC 5705 one?
>

It's not possible to use the RFC 5705 construction with TLS 1.3. That said,
I agree that the text could be improved. I've removed the reference from
that sentence instead added the following below it to remove ambiguity:
<<Note that TLS 1.3 keying material exporters are defined in Section 7.5 of
[TLS], while TLS 1.2 keying material exporters are defined in
[KEY-EXPORT].>>

## Nits
>
>
>
> ### nit
>
>
>
> Section 3.2:
>
> >The key exporter context contains the following fields:
>
>
>
> A copy paste gone wrong, I assume :) s/context/output?
>

Indeed. Fixed. Thanks for noticing!

### Id nits complaints
>
>
>
> ID-Nits gives me the following warning:
>
>
>
>   == Unused Reference: 'RFC8792' is defined on line 664, but no explicit
>
>      reference was found in the text
>
>
>
> This is a false positive, but I think moving the first line of Figure 5
> and 6 out of the figure would fix it.
>

This is a bug in the idnits tool. RFC 8792 itself asks us to put this text
inside the diagrams:
https://www.rfc-editor.org/rfc/rfc8792#section-9.1
I'd rather we follow the recommendation in 8792, rather than try to work
around an idnits bug.
I've filed a GitHub issue about the idnits bug here:
https://github.com/ietf-tools/idnits/issues/36

Thanks,
David

>

Received on Wednesday, 28 August 2024 17:36:33 UTC