Hi Martin, Thanks for the review. Responses inline.
> On Jun 6, 2020, at 2:49 PM, Martin Duke via Datatracker <nore...@ietf.org> > wrote: > Martin Duke has entered the following ballot position for > draft-ietf-capport-api-07: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-capport-api/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Unless I am misinterpreting the language here, there is a disconnect between > this document and the architecture document. > > Sec 2.3 of -architecture says: > At minimum, the API MUST provide: (1) the state of captivity and (2) a URI for > the Captive Portal Server. > > But in section 5 user-portal-url is an optional field. Is -architecture > actually levying a requirement on the api spec, or the api server? I believe in this case the architecture document needs to change, or clarify that this MUST refers to that the mechanism needs to be *able* to communicate such a URI, not that such a URI must always be communicated. The group has discussed this several times, and I believe the API doc reflects the consensus: while we aren’t tackling solutions for captive portals that don’t involve User Portal pages (future solutions using a more OS-driven experience and perhaps built in payment, etc), we want to allow the API JSON to be usable in those new models. Not all captive networks will necessarily use this kind of URI in the future, and there’s no need to make the registry lock that in as mandatory. > > I am also confused by this sentence at the end of section 4.1 about failed > authentication: “It may still be possible for the user to access the network > by > being redirected to a web portal.” > > Who is doing the redirecting here? If authentication has failed, how is this > redirect authenticated and secure against theft of credentials? This is referring to the fact that the old HTTP redirect of a clear text webpage may still happen on a network. Even networks that support the API will need to handle legacy clients. This is only about redirecting unrelated pages to the user portal, and is orthogonal to the authenticity of the API server. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > This document is otherwise clearly written. Thanks. > > As I said in the architecture review, the term for the user portal keeps > changing. Over there it’s called a “Captive Portal Server” and a “web portal > server”. Here it’s a “user-portal.” User-portal is indeed the key name, representing the current use case of presenting a portal to a user. Other solutions in the future may use other URIs. In description text, we explain that this is a web portal page. I’d suggest using the user portal term in the architecture. > > One nit: > s/extenal/external Good catch, will fix. Tommy _______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals