-----Original Message-----
From: Julian Reschke [mailto:julian(_dot_)reschke(_at_)gmx(_dot_)de]
Sent: Saturday, December 27, 2014 5:12 AM
To: Black, David; stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie;
paul(_dot_)hoffman(_at_)vpnc(_dot_)org;
mike(_at_)phresheez(_dot_)com; General Area Review Team
(gen-art(_at_)ietf(_dot_)org); ops-
dir(_at_)ietf(_dot_)org
Cc: http-auth(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org
Subject: Re: [http-auth] Gen-ART and OPS-Dir review of draft-ietf-httpauth-
hoba-08
On 2014-12-27 04:15, Black, David wrote:
The -08 draft addresses all of the important issues in the combined Gen-ART
and OPS-Dir review of the -07 version, and is a definite improvement over
its -07 version.
Based on discussion of item [5], there are a couple of remaining editorial
nits in Section 5.3:
During the authentication phase, if the server cannot determine the
correct CPK, it could use HTML and JavaScript to ask the user if they
are really a new user or want to associate this new CPK with another
CPK. The server can then use some out-of-band method (such as a
"can" -> "should"
confirmation email round trip, SMS, or an UA that is already
enrolled) to verify that the "new" user is the same as the already-
enrolled one. Thus, logging in on a new user agent is identical to
logging in with an existing account.
If the server does not recognize the CPK the server might send the
client through a either a join or login-new-UA (see below) process.
"might" -> "should"
I agree w/the draft editor that these are matters of editorial taste.
Thanks,
--David
For the record: I strongly disagree with the proposal to insert
lower-cased BCP 14 keywords.
Best regards, Julian
If the keyword itself is a concern, "ought to" is an alternative that has
been used in the past.
Thanks, --David