Éric Vyncke's No Objection on draft-ietf-httpbis-unprompted-auth-11: (with COMMENT) from Éric Vyncke via Datatracker on 2024-09-17 (ietf-http-wg@w3.org from July to September 2024)

From: Éric Vyncke via Datatracker <noreply@ietf.org>
Date: Tue, 17 Sep 2024 03:13:16 -0700
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-httpbis-unprompted-auth@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, tpauly@apple.com, tpauly@apple.com
Message-ID: <172656799630.92849.10000840422220397889@dt-datatracker-65695bf5bc-rgg8z>

Éric Vyncke has entered the following ballot position for
draft-ietf-httpbis-unprompted-auth-11: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

# Éric Vyncke, INT AD, comments for draft-ietf-httpbis-unprompted-auth-11

Thank you for the work put into this document.

Please find below some non-blocking COMMENT points (but replies would be
appreciated even if only for my own education).

Special thanks to Tommy Pauly for the shepherd's detailed write-up including
the WG consensus and the justification of the intended status.

I hope that this review helps to improve the document,

Regards,

-éric

# COMMENTS (non-blocking)

I learned a new English word "probeable", which I misread as "probable" several
times :-) "Unprompted" was clearer IMHO but this is cosmetic.

## Section 1

A time diagram of all exchanges will be welcome by the readers, e.g., setting
up the TLS session, client sending its key context, (exchange between frontend
and backend), then (if I understand correctly) the actual authentication taking
place with a nonce, then actual data transfer.

## Section 3.1

Suggest to add a reference to the syntax used in Figure 1.

s/s Parameter/"s" Parameter/ ? and similar for "k", ... Noting that this
notation is used in section 4.

## Why not mTLS ?

Should there be a comparaison with mutually authenticated TLS ? I understand
that mTLS and this I-D work at different layers but mTLS could also be used for
similar purposes.

Received on Tuesday, 17 September 2024 10:13:21 UTC