> -----Original Message----- > From: Julian Reschke [mailto:julian.reschke@xxxxxx] > Sent: Saturday, December 27, 2014 5:12 AM > To: Black, David; stephen.farrell@xxxxxxxxx; paul.hoffman@xxxxxxxx; > mike@xxxxxxxxxxxxx; General Area Review Team (gen-art@xxxxxxxx); ops- > dir@xxxxxxxx > Cc: http-auth@xxxxxxxx; ietf@xxxxxxxx > Subject: Re: [http-auth] Gen-ART and OPS-Dir review of draft-ietf-httpauth- > hoba-08 > > On 2014-12-27 04:15, Black, David wrote: > > The -08 draft addresses all of the important issues in the combined Gen-ART > > and OPS-Dir review of the -07 version, and is a definite improvement over > > its -07 version. > > > > Based on discussion of item [5], there are a couple of remaining editorial > > nits in Section 5.3: > > > > During the authentication phase, if the server cannot determine the > > correct CPK, it could use HTML and JavaScript to ask the user if they > > are really a new user or want to associate this new CPK with another > > CPK. The server can then use some out-of-band method (such as a > > > > "can" -> "should" > > > > confirmation email round trip, SMS, or an UA that is already > > enrolled) to verify that the "new" user is the same as the already- > > enrolled one. Thus, logging in on a new user agent is identical to > > logging in with an existing account. > > > > If the server does not recognize the CPK the server might send the > > client through a either a join or login-new-UA (see below) process. > > > > "might" -> "should" > > > > I agree w/the draft editor that these are matters of editorial taste. > > > > Thanks, > > --David > > For the record: I strongly disagree with the proposal to insert > lower-cased BCP 14 keywords. > > > Best regards, Julian If the keyword itself is a concern, "ought to" is an alternative that has been used in the past. Thanks, --David