[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: draft-ietf-sasl-scram-01.txt

To: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>
Subject: Re: WG Last Call: draft-ietf-sasl-scram-01.txt
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Thu, 28 May 2009 16:46:09 -0500
Cc: ietf-sasl@xxxxxxx
In-reply-to: <E9C47C5D-65B3-4466-A463-FC5A9D48DDE9@xxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <20090526200001.5D83A3A70E9@xxxxxxxxxxxxxx> <E9C47C5D-65B3-4466-A463-FC5A9D48DDE9@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

On Wed, May 27, 2009 at 11:40:16AM -0700, Kurt Zeilenga wrote:
> This message initiates a SASL WG Last Call on the Internet-Draft:
> 
> >	Title           : Salted Challenge Response (SCRAM) SASL Mechanism
> >	Author(s)       : A. Menon-Sen, et al.
> >	Filename        : draft-ietf-sasl-scram-01.txt
> >	Pages           : 33
> >	Date            : 2009-05-26

My only comments are editorial, otherwise I'm happy with this
Internet-Draft:

 - Clarify this sentence:

  "This means that SCRAM is actually both, a GSS-API and SASL mechanism."

   as follows:

  "This means that this document defines both, a GSS-API mechanism and a
   SASL mechanism."

   Rationale: one must remove the GS2 header from the initial context
   token and then add the RFC2743 initial context token header in order
   to get SCRAM as a GSS-API mechanism, therefore the original text
   above might be confusing to some readers.  See section 8.

 - Section 4, there's a typo: (20-length("SCRAM-")-lenght("-PLUS")
   (the second 'length' is misspelled).

 - Section 5, "SCRAM is a text protocol where...".  Really?  I thought
   SCRAM was a mechanism, not a protocol...  How about:

   "SCRAM is a SASL mechanism whose authentication messages are
   text-based messages containing one or more attribute-value pairs
   separated by commas."

   (That these messages are exchanged by a client and server seems
   superfluous once one describes SCRAM as a SASL mechanism.)

 - Section 6:

"
   o  If the client negotiates mechanisms then client MUST select SCRAM-
      <hash-function>-PLUS if offered by the server.  Otherwise, if the
      client does not negotiate mechanisms then it MUST select only
      SCRAM-<hash-function> (not suffixed with "-PLUS").
"

   s/then client/then the client/

   s/MUST select SCRAM-<hash-function>-PLUS if offered by the server/
     MUST select SCRAM-<hash-function>-PLUS if offered by the server and
     the client wants to select SCRAM with the given hash function/

 - Section 6:

   o  If the client supports channel binding but the server does not
      then the client MUST ...

   s/the server does not/the server does not (i.e., did not offer
     SCRAM-<hash-function>-PLUS) then the client MUST .../


Nico
--

Follow-Ups:
- Re: WG Last Call: draft-ietf-sasl-scram-01.txt
  - From: Alexey Melnikov

References:
- I-D Action:draft-ietf-sasl-scram-01.txt
  - From: Internet-Drafts
- WG Last Call: draft-ietf-sasl-scram-01.txt
  - From: Kurt Zeilenga

Prev by Date: Re: WG Last Call: draft-ietf-sasl-scram-01.txt
Next by Date: Poll: use of TLS channel bindings in SCRAM
Previous by thread: Re: WG Last Call: draft-ietf-sasl-scram-01.txt
Next by thread: Re: WG Last Call: draft-ietf-sasl-scram-01.txt
Index(es):
- Date
- Thread