Last Call Review of draft-ietf-precis-7613bis-07

Request Review of draft-ietf-precis-7613bis
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-06-27
Requested 2017-06-13
Authors Peter Saint-Andre, Alexey Melnikov
Draft last updated 2017-06-25
Completed reviews Secdir Last Call review of -07 by Joseph Salowey (diff)
Genart Last Call review of -07 by Linda Dunbar (diff)
Opsdir Last Call review of -08 by Tina Tsou (diff)
Assignment Reviewer Joseph Salowey
State Completed
Review review-ietf-precis-7613bis-07-secdir-lc-salowey-2017-06-25
Reviewed rev. 07 (document currently at 11)
Review result Has Nits
Review completed: 2017-06-25


I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The summary of the review is document is ready with nits. 

This document is an update to RFC 7613.   A few Minor comments:

1.  I think it would be good to show the zero-length password is not allowed in table 4 (18 | <> | zero-length password).   There are lots of cases where allowing zero-length passwords has led to problems.  Disallowing zero-length passwords is helpful. 

2.  Comparisons of passwords is a touchy subject.   I can't think of a case where it would be preferable to do a direct password comparison.   In most cases the comparison will be done against a salted-hashed transform of the password or involve some other cryptographic operation.   I think it would be good to discuss this briefly in the security considerations section, sample text below

"Password Comparison

Verification of passwords during authentication will not use the comparison defined in section 4.2.3.   Instead cryptographic calculations are performed to verify the password.   In most cases the password will be prepared as in section 4.2.1 and meet the rules enforced in section 4.2.2 before the calculations are performed."