Re: AD Review of draft-ietf-httpbis-unprompted-auth-09 from Francesca Palombini on 2024-08-28 (ietf-http-wg@w3.org from July to September 2024)

From: Francesca Palombini <francesca.palombini@ericsson.com>
Date: Wed, 28 Aug 2024 20:13:02 +0000
To: David Schinazi <dschinazi.ietf@gmail.com>
CC: "draft-ietf-httpbis-unprompted-auth@ietf.org" <draft-ietf-httpbis-unprompted-auth@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <PAXPR07MB7838937D7F81442CB127C97798952@PAXPR07MB7838.eurprd07.prod.outlook.com>

Hi David,

Thanks for the quick reply.

Just to be clear – from the way it was written in the quoted sentence, I didn’t read that the exporter depended on the TLS version used, but it was always the one defined in RFC 5705, hence my comment. Thanks for clarifying.

Anyways, your PR works for me! Up to you if you want to submit an update or wait for more reviews.

Francesca

From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wednesday, 28 August 2024 at 19:36
To: Francesca Palombini <francesca.palombini@ericsson.com>
Cc: draft-ietf-httpbis-unprompted-auth@ietf.org <draft-ietf-httpbis-unprompted-auth@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: AD Review of draft-ietf-httpbis-unprompted-auth-09
Hi Francesca, and thank you for the review!

I've addressed all your comments in this PR:
https://github.com/httpwg/http-extensions/pull/2885

Can you confirm that this works for you please?

Detailed responses inline.

On Wed, Aug 28, 2024 at 2:34 AM Francesca Palombini <francesca.palombini@ericsson.com<mailto:francesca.palombini@ericsson.com>> wrote:
# AD Review of draft-ietf-httpbis-unprompted-auth-09

cc @fpalombini

Thank you for this document, I found it very clear and easy to read. I only have one minor comment and some nits, you can take care of these at the same time as any other comments from IETF last call, which I will initiate now.

Francesca

## Comments

### key exporter

Section 3:
> When a client wishes to uses the Concealed HTTP authentication scheme with a request, it SHALL compute the authentication proof using a TLS keying material exporter [KEY-EXPORT] with the following parameters:

It is not clear to me if this doc uses the original RFC 5705 version (as referenced) or the updated construction by TLS 1.3 (Section 7.5 of RFC 8446). By the way it is referenced, and the way I interpret the "Update" header tag for RFCs, I'd assume 5705 - if my assumption is wrong, maybe some text (and an additional reference to TLS 1.3 in the sentence above) would help remove all ambiguity. Otherwise, has the working group considered using the TLS 1.3 exporter, rather than the RFC 5705 one?

It's not possible to use the RFC 5705 construction with TLS 1.3. That said, I agree that the text could be improved. I've removed the reference from that sentence instead added the following below it to remove ambiguity:
<<Note that TLS 1.3 keying material exporters are defined in Section 7.5 of [TLS], while TLS 1.2 keying material exporters are defined in [KEY-EXPORT].>>

## Nits

### nit

Section 3.2:
>The key exporter context contains the following fields:

A copy paste gone wrong, I assume :) s/context/output?

Indeed. Fixed. Thanks for noticing!

### Id nits complaints

ID-Nits gives me the following warning:

  == Unused Reference: 'RFC8792' is defined on line 664, but no explicit
     reference was found in the text

This is a false positive, but I think moving the first line of Figure 5 and 6 out of the figure would fix it.

This is a bug in the idnits tool. RFC 8792 itself asks us to put this text inside the diagrams:
https://www.rfc-editor.org/rfc/rfc8792#section-9.1

I'd rather we follow the recommendation in 8792, rather than try to work around an idnits bug.
I've filed a GitHub issue about the idnits bug here:
https://github.com/ietf-tools/idnits/issues/36

Thanks,
David

Received on Wednesday, 28 August 2024 20:13:14 UTC