Reviewer: Joseph Salowey Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
The summary of the review is document is ready with nits. This document is an update to RFC 7613. A few Minor comments: 1. I think it would be good to show the zero-length password is not allowed in table 4 (18 | <> | zero-length password). There are lots of cases where allowing zero-length passwords has led to problems. Disallowing zero-length passwords is helpful. 2. Comparisons of passwords is a touchy subject. I can't think of a case where it would be preferable to do a direct password comparison. In most cases the comparison will be done against a salted-hashed transform of the password or involve some other cryptographic operation. I think it would be good to discuss this briefly in the security considerations section, sample text below "Password Comparison Verification of passwords during authentication will not use the comparison defined in section 4.2.3. Instead cryptographic calculations are performed to verify the password. In most cases the password will be prepared as in section 4.2.1 and meet the rules enforced in section 4.2.2 before the calculations are performed." _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
