Document:   draft-ietf-lemonade-urlauth-07.txt 
Reviewer: Lakshminath Dondeti 
Review Date:  Thursday 9/1/2005 3:58 AM CST
Telechat Date:  01 Sept 2005 

Summary: Generally ready for publication ...  I see some discuss comments 
already, and I have some questions/comments myself.

Review: 
-------

* I am uncomfortable with the word Authorization and the mechanisms for it 
in this draft.  However, it is late in the process to have a philosophical 
discussion.  Since this is a WG consensus, I can live with it.

   To explain: The first sentence notes that RFC 2192 requires authorization

My reading of that RFC is that it is talking about authenticating a user 
and then verifying whether the user is authorized to 
read/read-write.  Authorization comes from local policy and enforced after 
authenticating the user.

Section 1.4 concerns me.  First, I am not sure I understand the use of 
HMAC-SHA-1 as an authorization mechanism.  More importantly, the draft only 
recommends something such as that algorithm and notes that there is no way 
to change the algorithm without severe consequences.  While HMAC is holding 
up, there are concerns about SHA-1 already; I am not sure about advancing 
protocol specs in which algorithms cannot be updated.