RFC 4590 IETF Last Call Comments

[Bernard Aboba <bernard_aboba@hotmail.com>]

From: Frank Ellermann
Date: Friday, May 18, 2007
Subject: Re: Last Call: draft-ietf-radext-rfc4590bis (RADIUS Extension for Digest Authentication) to Proposed Standard

The IESG wrote:

> The IESG has received a request from the RADIUS EXTensions WG (radext)
> to consider the following document:

> - 'RADIUS Extension for Digest Authentication '
>    <draft-ietf-radext-rfc4590bis-01.txt> as a Proposed Standard

Hi, this draft might be also interesting for the 2831bis (SASL) and
2617bis (HTTP-AUTH) folks.  From a quick read I found that the I-D
picked the "keep backslash as is" approach between client and proxy,
trimming \\ and \" only at the RADIUS server.

The other DIGEST-MD5 parameters are as always confusing, I don't see
anything related to SASLprep in the draft (it's based on 2617).  It
mentions 2069 backwards compatibility based on the absence of "QoP",
I'm not sure if that's correct for "md5-sess" without "QoP".

The draft says that the length of NC is 10, shouldn't that be 8 ?

The first example has no CNONCE and no NC, my script claims that this
is a fatal error for qop=auth, isn't it ?  RFC 2617 says that it MUST
be sent for a non-empty qop.

The password for the 4590 examples isn't shown, therefore I'm unable
to check them, even after adjusting the code to treat qop=auth without
CNONCE as 2069 fallback.  Should I treat CNONCE as empty and make up
an NC 00000001 ?

Without SASLprep the draft IMO needs some "I18N considerations" about
non-ASCII user names and passwords as mandated by BCP 18 (RFC 2277).

Frank