I have been selected as the General Area Review Team (Gen-ART)
reviewer for this draft (for background on Gen-ART, please see
http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html).
Please wait for direction from your document shepherd
or AD before posting a new version of the draft.
Document: draft-ietf-krb-wg-anon-05.txt
Reviewer: Miguel Garcia <[EMAIL PROTECTED]>
Review Date: 2008-03-03
IETF LC End Date: 2008-03-07
Summary: The document is ready for publication as a proposed standard RFC.
Comments: Here are some comments you may want to include in a future
revision of the document.
- Section 3 1st paragraph says:
An anonymous Kerberos realm name MUST NOT be present in
the transited field of a ticket.
and later the third paragraph says:
Note that in this specification, the anonymous principal name and
realm are only applicable to the client in Kerberos messages, the
server MUST NOT be anonymous in any Kerberos message.
It came to my attention that this text is part of Section 3:
"Definitions". However, the above paragraphs are not definitions, but
normative text. I would have expected that the Definitions section
contains informative definitions that help to understand the draft, but
not the normative procedures. I suggest to move the above text elsewhere
in the draft.
- Section 3, anonymous ticket flag:
The 4th paragraph in Section 3 misses a context with respect the
anonymous ticket flag. For example, I would have expected the text to
answer these questions: Is the anonymous ticket flag a new flag defined
by this document or defined elsewhere? What is the purpose of this flag?
Perhaps the 4th paragraph should start by saying:
"This document defines a new 'anonymous ticket flag' whose purpose is to
indicate that a request is being made anonymous" (or something like that).
- Section 4, 1st paragraph, second line. Is the acronym "AS" correct for
"Authentication Exchange" ??? It looks it could be "AE" instead.
Later, still in the 1st paragraph, but the 6th and 7th lines, the text
says: "... in an AS exchange"
So, if I replace "AS" with "Authenticate Exchange" then the sentence
will read: "... in an Authentication Exchange exchange", which obviously
looks bad.
- Section 4, page 6, third paragraph on that page: There is normative
text in passive voice, and it wasn't immediately clear to me who is the
subject of the normative text. The text reads:
Identity-based authorization data SHOULD NOT be present in an
anonymous ticket in that it typically reveals the client's identity.
Presumably this "SHOULD NOT" strength should apply to the TGS, but I am
not sure. I would suggest to clarify and turn the sentence into active
voice. Perhaps the same is also applicable to other parts of the draft.
- Section 5, 1st paragraph on Page 8, reads:
" ... the initiator must NOT send "
I guess this should be a normative "MUST NOT". If it isn't, then turn it
to "must not".
- Section 8, IANA consideration. The text reads:
Section 3 defines the anonymous Kerberos name and the anonymous
Kerberos realm based on [KRBNAM]. The IANA registry for [KRBNAM]
need to be updated to add references to this document.
I think IANA will have trouble to parse the above text. I would suggest
the following:
This document defines a new 'anonymous' Kerberos name and a new
'anonymous' Kerberos realm based on [KRBNAM]. IANA is requested to add
these two values to the Kerberos name and the Kerberos real registries
that are created in [KRBNAM].
Thanks,
Miguel Garcia
--
Miguel A. Garcia tel:+358-50-4804586
Nokia Siemens Networks Espoo, Finland
_______________________________________________
Gen-art mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/gen-art
