- From: David Schinazi <dschinazi.ietf@gmail.com>
- Date: Tue, 17 Sep 2024 09:15:34 -0700
- To: Éric Vyncke <evyncke@cisco.com>
- Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-unprompted-auth@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, tpauly@apple.com
- Message-ID: <CAPDSy+6mYyd4ZNLhCoJo0Lb3Dw5yVsth+U=_QnrmBf1kMmA3bw@mail.gmail.com>
Hi Éric, and thanks for your review. I've landed this commit in response to your comments: https://github.com/httpwg/http-extensions/commit/6965ae390a3ec2554482fe171c6ab96bb37ab5ea More detailed responses inline below. David On Tue, Sep 17, 2024 at 3:13 AM Éric Vyncke via Datatracker < noreply@ietf.org> wrote: > Éric Vyncke has entered the following ballot position for > draft-ietf-httpbis-unprompted-auth-11: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > # Éric Vyncke, INT AD, comments for draft-ietf-httpbis-unprompted-auth-11 > > Thank you for the work put into this document. > > Please find below some non-blocking COMMENT points (but replies would be > appreciated even if only for my own education). > > Special thanks to Tommy Pauly for the shepherd's detailed write-up > including > the WG consensus and the justification of the intended status. > > I hope that this review helps to improve the document, > > Regards, > > -éric > > # COMMENTS (non-blocking) > > I learned a new English word "probeable", which I misread as "probable" > several > times :-) "Unprompted" was clearer IMHO but this is cosmetic. > I agree with you, in part because my laptop keeps wanting to autocorrect "probeable" to "probable" :-). I wasn't able to find a better word, since "unprompted" is not an alternative here. I'm open to suggestions. ## Section 1 > > A time diagram of all exchanges will be welcome by the readers, e.g., > setting > up the TLS session, client sending its key context, (exchange between > frontend > and backend), then (if I understand correctly) the actual authentication > taking > place with a nonce, then actual data transfer. > There's pretty much only one exchange which is: client ----Authorization----> server. The second one we can add is that when frontend and backend are split (which is rare) then it's: client ----Authorization----> frontend -----Authorization+context---->backend. Not sure if that diagram would help much though. ## Section 3.1 > > Suggest to add a reference to the syntax used in Figure 1. > Agree, I added one. s/s Parameter/"s" Parameter/ ? and similar for "k", ... Noting that this > notation is used in section 4. > The HTTP style guide [1] recommends using double quotes when defining header fields (and by extension, parameters) and not using double quotes when referring to them. We followed that in this document, so we use double quotes in section 4, on no quotes in other sections. [1] https://httpwg.org/admin/editors/style-guide#header-and-trailer-fields ## Why not mTLS ? > > Should there be a comparaison with mutually authenticated TLS ? I > understand > that mTLS and this I-D work at different layers but mTLS could also be > used for > similar purposes. > mTLS is visible from network operators, and it is probeable by clients, so it doesn't fit the requirements. We could mention this, but that also applies to many other authentication systems, so I'd rather not list every single one here.
Received on Tuesday, 17 September 2024 16:15:51 UTC