Document: draft-ietf-krb-wg-anon-05.txt Reviewer: Miguel Garcia Review Date: 2008-03-03 IETF LC End Date: 2008-03-07 Summary: The document is ready for publication as a proposed standard RFC. Comments: Here are some comments you may want to include in a future revision of the document. - Section 3 1st paragraph says: An anonymous Kerberos realm name MUST NOT be present in the transited field of a ticket. and later the third paragraph says: Note that in this specification, the anonymous principal name and realm are only applicable to the client in Kerberos messages, the server MUST NOT be anonymous in any Kerberos message. It came to my attention that this text is part of Section 3: "Definitions". However, the above paragraphs are not definitions, but normative text. I would have expected that the Definitions section contains informative definitions that help to understand the draft, but not the normative procedures. I suggest to move the above text elsewhere in the draft. - Section 3, anonymous ticket flag: The 4th paragraph in Section 3 misses a context with respect the anonymous ticket flag. For example, I would have expected the text to answer these questions: Is the anonymous ticket flag a new flag defined by this document or defined elsewhere? What is the purpose of this flag? Perhaps the 4th paragraph should start by saying: "This document defines a new 'anonymous ticket flag' whose purpose is to indicate that a request is being made anonymous" (or something like that). - Section 4, 1st paragraph, second line. Is the acronym "AS" correct for "Authentication Exchange" ??? It looks it could be "AE" instead. Later, still in the 1st paragraph, but the 6th and 7th lines, the text says: "... in an AS exchange" So, if I replace "AS" with "Authenticate Exchange" then the sentence will read: "... in an Authentication Exchange exchange", which obviously looks bad. - Section 4, page 6, third paragraph on that page: There is normative text in passive voice, and it wasn't immediately clear to me who is the subject of the normative text. The text reads: Identity-based authorization data SHOULD NOT be present in an anonymous ticket in that it typically reveals the client's identity. Presumably this "SHOULD NOT" strength should apply to the TGS, but I am not sure. I would suggest to clarify and turn the sentence into active voice. Perhaps the same is also applicable to other parts of the draft. - Section 5, 1st paragraph on Page 8, reads: " ... the initiator must NOT send " I guess this should be a normative "MUST NOT". If it isn't, then turn it to "must not". - Section 8, IANA consideration. The text reads: Section 3 defines the anonymous Kerberos name and the anonymous Kerberos realm based on [KRBNAM]. The IANA registry for [KRBNAM] need to be updated to add references to this document. I think IANA will have trouble to parse the above text. I would suggest the following: This document defines a new 'anonymous' Kerberos name and a new 'anonymous' Kerberos realm based on [KRBNAM]. IANA is requested to add these two values to the Kerberos name and the Kerberos real registries that are created in [KRBNAM].