Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-07
Mohit Sahni <msahni@paloaltonetworks.com> Fri, 03 March 2023 21:36 UTC
Return-Path: <msahni@paloaltonetworks.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06655C1522BE for <ace@ietfa.amsl.com>; Fri, 3 Mar 2023 13:36:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paloaltonetworks.com header.b="onh8k0vk"; dkim=pass (2048-bit key) header.d=paloaltonetworks.com header.b="UezZBdP1"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id udIRz1Ylpxwo for <ace@ietfa.amsl.com>; Fri, 3 Mar 2023 13:36:25 -0800 (PST)
Received: from mx0b-00169c01.pphosted.com (mx0b-00169c01.pphosted.com [67.231.156.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0B1CC1522B9 for <ace@ietf.org>; Fri, 3 Mar 2023 13:36:24 -0800 (PST)
Received: from pps.filterd (m0048188.ppops.net [127.0.0.1]) by mx0b-00169c01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 323Hoio9002805 for <ace@ietf.org>; Fri, 3 Mar 2023 13:36:23 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=PPS12012017; bh=Je0l17REPvlfdd4xRbgYpdbQPW7L6X5zwX1ifx44QHg=; b=onh8k0vknsaIwqWSYCpII9KK1mki5/wL2gCLxqgJHY83t+DUkgveLpzy8nMH3mMDkkkC goah8ovMGA0K3Xa+Rh85Xigjxb7cEZubqZjL6okYMiU9M3lqL6wElgg/gqbrImIlCfUK F5YEPL4DgnkMsG9fZGYT+FuG4VIa/HQRuebXS/nIjJdo4sjeVjekxp2mo9uzE4fFftT5 szssqOcJ5fjjFNJUiaON4p7pxmImVV8KBtBduuB6FA1y7KMY8EB+WK5PcIT30fguXobd y7BtNwmlUK9zRENSdCUay6mQnrBX51BIsEdl18eLFJwYjeEIZHrtFY3a4PA41Ns+xhOh /g==
Received: from mail-yw1-f198.google.com (mail-yw1-f198.google.com [209.85.128.198]) by mx0b-00169c01.pphosted.com (PPS) with ESMTPS id 3p22vcc5ft-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <ace@ietf.org>; Fri, 03 Mar 2023 13:36:23 -0800
Received: by mail-yw1-f198.google.com with SMTP id 00721157ae682-536bf635080so37684757b3.23 for <ace@ietf.org>; Fri, 03 Mar 2023 13:36:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks.com; s=google.paloaltonetworks.com; t=1677879382; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Je0l17REPvlfdd4xRbgYpdbQPW7L6X5zwX1ifx44QHg=; b=UezZBdP1iWU5yu46a8uxJq6eCynytqKdfo1cn7s80k5U3zXCbAmdbglDD29C2bgfRm GyWgbCjslP2iOI9RnrjhWMjYLZp527B6cZeI1T9SDOn79TAez6XPul+92hHD7LPNMnM4 BnF8EuFNl81MK00N/Kgb4b39iGMRaLx/DdnAuhb3zQ8/wOiKzwlaRCjEvmXp8UgfJxov KtedCDU2SSVt3vzGM9wwig0wyVYteG7PrfBdN0b8dSheRCIvmmd8dnfkKTKt3DAV9JP9 X0B2WTcCd+eXMPIK363wb248isSjRKq3HA6zbFEEVuTaYRXbyDc4pSCzjWyfcFsoiGtG qrCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677879382; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Je0l17REPvlfdd4xRbgYpdbQPW7L6X5zwX1ifx44QHg=; b=hzi1Qito/wf3/ZEEKoFwZ4jfgSyCpCeBx6+PRtFn7DpUC7oF2dCzSAUfKYZ04L/Yry /IZbRbVIruPvrdSz1H3uz0piSwrR7sx2fl/5fRVkkNxK8Cm279fp83mTXZTkCIMB/jFB Bt8kHHeufpXov1e2iMp2Qhh6klSqxKCbYtWnvVHAxewMWozl1m09zXJ4/6qtvTTdMxos YaI0FYFCjdVnZcOcC9cI7PeHE4vLT0ZHWcl/7KyB90yg/fXGojySSHTAhOD15Ol44X0S jogYVXS/OMPE7umOBHRRDifD2JTRRxlMkxQ2zyNd1d7HIDp2lEr7EM3JxZgL36DX9+mG bNgA==
X-Gm-Message-State: AO0yUKUlhSkzNWvZkSPoAUXSAQQSqh6F4EanPARmJJFtuES75sJLXyfV Jr+DjuGkKCzY6O+ETkHYw1pBb9NRkwbTVzXYSbp3H+HP8H29OMjgctrvGONfQu2M6tAi7DeSsuM Nl8be1KZ5H2pR2jy4CzNPDFEshvtgEQ==
X-Received: by 2002:a5b:1cb:0:b0:aa2:475c:2982 with SMTP id f11-20020a5b01cb000000b00aa2475c2982mr1561294ybp.1.1677879382361; Fri, 03 Mar 2023 13:36:22 -0800 (PST)
X-Google-Smtp-Source: AK7set9JnRhD+GwmeOx+rH39QzNoxrDuqHXaPCdg1Y0FNBcuCNctTZnzhVt5GQtLWk0+QdD6XITUcpnpo3G/b7DPlLU=
X-Received: by 2002:a5b:1cb:0:b0:aa2:475c:2982 with SMTP id f11-20020a5b01cb000000b00aa2475c2982mr1561286ybp.1.1677879381979; Fri, 03 Mar 2023 13:36:21 -0800 (PST)
MIME-Version: 1.0
References: <CAGL5yWZEWE5LfRQ+bNn2mRLo8XPyyaVzvEWAGQLMa6QXvKwabA@mail.gmail.com>
In-Reply-To: <CAGL5yWZEWE5LfRQ+bNn2mRLo8XPyyaVzvEWAGQLMa6QXvKwabA@mail.gmail.com>
From: Mohit Sahni <msahni@paloaltonetworks.com>
Date: Fri, 03 Mar 2023 13:36:10 -0800
Message-ID: <CAMRcsGR44FDPL-KuJ68yoP=6xHEnZnrx=af2888Ow5A=XV-TFw@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: draft-ietf-ace-cmpv2-coap-transport@ietf.org, ace@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008a173705f605bcc6"
X-Proofpoint-ORIG-GUID: dcaKOlyrtCki3TW2U1WwWoGprT6VDOUF
X-Proofpoint-GUID: dcaKOlyrtCki3TW2U1WwWoGprT6VDOUF
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-03_05,2023-03-03_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 malwarescore=0 clxscore=1015 phishscore=0 adultscore=0 mlxlogscore=999 bulkscore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2303030183
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-wQ0s3Eg1PrJ4q1ww3yXEIfESFA>
Subject: Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-07
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2023 21:36:29 -0000
Hi Paul,
Many thanks for the review comments. Please see my response below:
> A CMP client SHOULD send each CoAP requests marked as a
Confirmable message Section 2.1 of [RFC7252].
>
>When would one not use a Confirmable message ? eg why is this a SHOULD and
not a MUST ?
>
>(also, the sentence doesn't make, did you mean to add "as per Section 2.1
....." ? )
<M.S.> Agreed. Will change that. Will fix the "section 2.1 of [RFC..]" too.
> If the CoAP request is successful then the server SHOULD return a
"2.05 Content" response code.
>
> What else could be sent if the SHOULD is not followed? Eg why is this is
a SHOULD and not a MUST ?
<M.S.> based on comments from Ben I changed it to SHOULD from MUST, here is
his comment
>>Perhaps I am reading too much into the analogy between HTTP and CoAP and
>>thus to the applicability of draft-ietf-httpbis-bcp56bis (currently with
the
>>RFC Editor), but it doesn't seem terribly useful to name a specific
response
>>code here. The standard CoAP semantics apply, and we could probably just
>>say that "the paylaod of a successful response contains the DER-encoded
>>...".
However, you raised a valid point so I will change it to:
If the CoAP request is successful then the server MUST return a 2.XX
response code otherwise server MUST return an appropriate CoAP Client Error
4.xx or a Server Error 5.xx response code.
>This gets stranger even in this sentence, where it becomes very unclear:
>
> If the server supports CMP Announcements messages, then it SHOULD
> send appropriate 2.xx success response code, otherwise a 4.xx
> or 5.xx error response code.
<M.S.> Agreed, I will change it to
If the server supports CMP Announcements messages, then it MUST
send an appropriate 2.xx success response code, otherwise it MUST
send a 4.xx
or 5.xx error response code.
>Now "can" is very strange here for not being a SHOULD or MAY or MUST
>
>
> can try after some time to register again
>
<M.S.> Agreed, Change it to "MAY try after some time to register again"
>Same here.
>
>
> Alternatively, an EE MAY poll for the potential changes
>
> What is meant with "potential changes" ?
> (also the grammar of this sentence does not work)
>
> to get information about the changes.
>
>Also here, what "changes" ?
<M.S.> Agreed, I will change it to
Alternatively, an EE MAY periodically poll for the current status of the CA
via the "PKI Information Request" message [Section 6.2 RFC 4210]. If
supported, EEs may also use "Support Messages" defined in section 4.3 of
the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile] to get
information about the changes.
>Section 4:
>
> The CMP protocol depends upon various mechanisms in the protocol
> itself for making the transactions secure therefore, security
> issues of CoAP due to using UDP without cryptographic protections
> for message confidentiality and integrity, do not carry over to
> the CMP layer. The Security considerations for CoAP are mentioned
> in the [RFC7252].
>
>This is a very vague sentence that also does not read well. And I do not
>understand the "carry over" parts. Perhaps something like:
>
> All payloads of the CMP protocol are cryptographically protected
> against malicious modifications. As such, UDP can be used without
> compromising the security of the CMP protocol. Security
Considerations
> for CoAP are defined in [RFC7252].
>
<M.S.> Agreed.
>Similarly the second point:
>
> Although the CMP protocol does not depend upon the underlying
> transfer mechanism for protecting the messages but in cases when
> confidentiality protection is desired, CoAP over DTLS [RFC9147]
> MAY be used providing a hop-by-hop security. The use of DTLS can
> provide confidentiality protection of the CMP-level metadata,
> however it cannot obscure the fact that CMP is being used in
> the underlying layer.
>
>Perhaps instead:
>
> The CMP protocol does not provide confidentiality of the CMP
payloads.
> If confidentiality is desired, CoAP over DTLS [RFC9147] can be used
> to provide confidentiality for the CMP payloads, although it cannot
> conceal that the CMP protocol is used within the DTLS layer.
>
>
<M.S.> Agreed.
>
> Once a DTLS [RFC9147] association is established it SHOULD be
> used for as long as possible to avoid the frequent overhead of
> setting up a DTLS [RFC9147] association for constrained devices.
>
>I think the reference to "as long as possible" is a bit strange. How about:
>
> DTLS associations SHOULD be kept alive and re-used where possible
> to amortise on the additional overhead of DTLS on constrained
devices.
>
<M.S.> Agreed.
>The next bullet point just needs some grammar fixes:
>
> An EE may miss some of the Announcement messages when using CoAP
> Observe option [RFC7641] since Observe option is a "best-effort"
> approach and server can lose state about subscribers for
> announcement messages. The EEs may use alternate method described
> in section 2.6 to get time critical changes like CRL updates.
>
>How about:
>
> An EE might not witness all of the Announcement messages when
using the CoAP
> Observe option [RFC7641], since the Observe option is a
"best-effort"
> approach and the server might lose its state for subscribers to its
> announcement messages. The EEs may use an alternate method
described
> in section 2.6 to obtain time critical changes such as CRL updates.
>
<M.S.> Agreed.
>The next bullet I just do not understand:
>
> In order to to reduce the risks imposed by DoS attacks, the
> implementations SHOULD optimally use the available datagram size
> i.e. avoid small datagrams containing partial CMP PKIMessage data.
>
>Please explain what is meant here and/or rephrase it.
<M.S.>
Here the intent is to warn the implementations to
>
>Section 5:
>
> This document requires a new entry to the CoAP
>
>s/requires/adds
>
> This document also requires
>
>s/requires/adds/
<M.S> Agreed.
>
> in the CMP protocol registry
>
>s/in/to
<M.S> Agreed.
>
>
> Description: The path to send a Get request
>
>Should that be a "GET request" ?
>
>
> This document references the cmp, in the Well-Known URIs IANA
> registry. This document is expected to be published together
> with [I-D.ietf-lamps-cmp-updates]. Please add a reference of
> this document to the Well-Known URIs IANA registry for that entry
>
> This document also refers the path segment "p" in the Certificate
> Management Protocol (CMP) IANA registry. Please add a reference
> of this document to the Certificate Management Protocol (CMP)
> for that path segment.
>
>Please seperate the addition instruction for IANA from the RFC Editor
>instruction. Just state the additions as if the other documents were
>already published, and then add a note using [Note RFC Editor: ...]
>explaining this document should be published after the two referenced
>ones.
<M.S.>
This document references the cmp, in the Well-Known URIs IANA
registry. Please add a reference of this document to the
Well-Known URIs IANA registry for that entry
This document also refers the path segment "p" in the Certificate
Management Protocol (CMP) IANA registry. Please add a reference
of this document to the Certificate Management Protocol (CMP)
for that path segment.
[Note RFC Editor: This document should be published together
or after the [I-D.ietf-lamps-cmp-updates] and
[I-D.ietf-lamps-lightweight-cmp-profile]
as it references IANA entries created by those Internet drafts.
>
>[I-D.ietf-lamps-cmp-updates] and [I-D.ietf-lamps-lightweight-cmp-profile]
>are listed as informative references, but these should be normative
>references (as you point to sections in those documents for syntax)
>
<M.S.> Agreed.
>
>NITS:
<M.S.> I will update the draft with suggested changes.
>
> Here is the list of CMP announcement messages
>
>Do not use "here". Maybe just: The list of CMP ....... are:
>
> An EE MAY use CoAP Observe option
>
>s/use/use the/
>
> to get any announcement messages
>
>s/any/all
>
> If for some reason server cannot add
>
>s/server/the server
>
> A client on receiving
>
>s/on receiving/that receives
>
> allows the EE to receive
>
>s/the EE/an EE
>
> Since the CMP payload is same over CoAP and HTTP transfer
mechanisms
>
>Since the CMP payload is the same wether using CoAP or HTTP transfer
mechanisms
>
> Some recommended mechanisms are as follows:
>
>delete "as follows"
>
> Since the Proxy may have access to the CMP-Level
>
>s/may have/has
>
> therefore proper role based access control should be in place.
>
>s/therefore/, proper role based access controls should be deployed
>
> Proxy can be
>
>s/Proxy/Proxies
>
> to protect them
>
>s/to protect them/for protection
>
> The proxy however may itself be vulnerable to resource-exhaustion
attacks
>
>s/The proxy itself can also be attacked by resource-exhaustion attacks
>
Regards,
Mohit
On Sun, Feb 26, 2023 at 5:49 PM Paul Wouters <paul.wouters@aiven.io> wrote:
> AD review: draft-ietf-ace-cmpv2-coap-transport-07
>
>
> Please see below my AD review comments. I believe a revision of the
> document
> is required before sending it to the IESG. The substantial comments are
> mostly
> about SHOULD vs MUST cases, but there is also a few large pieces of text,
> mostly
> in the Security Considerations section, that need to be reformulated for
> clarity.
> I've tried to propose text where I can.
>
> I've also tried to fixup a few spelling and grammer issues.
>
> Regards,
>
> Paul
>
>
>
>
>
> A CMP client SHOULD send each CoAP requests marked as a
> Confirmable message Section 2.1 of [RFC7252].
>
> When would one not use a Confirmable message ? eg why is this a SHOULD and
> not a MUST ?
>
> (also, the sentence doesn't make, did you mean to add "as per Section 2.1
> ....." ? )
>
>
> If the CoAP request is successful then the server SHOULD return a
> "2.05 Content" response code.
>
> What else could be sent if the SHOULD is not followed? Eg why is this is a
> SHOULD and not a MUST ?
>
> If the CoAP request is not successful then an appropriate CoAP
> Client Error 4.xx or a Server Error 5.xx response code MUST
> be returned.
>
> Especially seeing there is a MUST here.
>
>
> This gets stranger even in this sentence, where it becomes very unclear:
>
> If the server supports CMP Announcements messages, then it SHOULD
> send appropriate 2.xx success response code, otherwise a 4.xx
> or 5.xx error response code.
>
> eg the 'otherwise' clause is not using a SHOULD or MUST, does it inherit
> the
> one from the previous sentence? Also, why SHOULD and not MUST?
>
> it can omit the Observe option
>
> Now "can" is very strange here for not being a SHOULD or MAY or MUST
>
>
> can try after some time to register again
>
> Same here.
>
>
> Alternatively, an EE MAY poll for the potential changes
>
> What is meant with "potential changes" ?
> (also the grammar of this sentence does not work)
>
> to get information about the changes.
>
> Also here, what "changes" ?
>
>
> Section 4:
>
> The CMP protocol depends upon various mechanisms in the protocol
> itself for making the transactions secure therefore, security
> issues of CoAP due to using UDP without cryptographic protections
> for message confidentiality and integrity, do not carry over to
> the CMP layer. The Security considerations for CoAP are mentioned
> in the [RFC7252].
>
> This is a very vague sentence that also does not read well. And I do not
> understand the "carry over" parts. Perhaps something like:
>
> All payloads of the CMP protocol are cryptographically protected
> against malicious modifications. As such, UDP can be used without
> compromising the security of the CMP protocol. Security
> Considerations
> for CoAP are defined in [RFC7252].
>
> Similarly the second point:
>
> Although the CMP protocol does not depend upon the underlying
> transfer mechanism for protecting the messages but in cases when
> confidentiality protection is desired, CoAP over DTLS [RFC9147]
> MAY be used providing a hop-by-hop security. The use of DTLS can
> provide confidentiality protection of the CMP-level metadata,
> however it cannot obscure the fact that CMP is being used in
> the underlying layer.
>
> Perhaps instead:
>
> The CMP protocol does not provide confidentiality of the CMP
> payloads.
> If confidentiality is desired, CoAP over DTLS [RFC9147] can be used
> to provide confidentiality for the CMP payloads, although it cannot
> conceal that the CMP protocol is used within the DTLS layer.
>
>
>
> Once a DTLS [RFC9147] association is established it SHOULD be
> used for as long as possible to avoid the frequent overhead of
> setting up a DTLS [RFC9147] association for constrained devices.
>
> I think the reference to "as long as possible" is a bit strange. How about:
>
> DTLS associations SHOULD be kept alive and re-used where possible
> to amortise on the additional overhead of DTLS on constrained
> devices.
>
> The next bullet point just needs some grammar fixes:
>
> An EE may miss some of the Announcement messages when using CoAP
> Observe option [RFC7641] since Observe option is a "best-effort"
> approach and server can lose state about subscribers for
> announcement messages. The EEs may use alternate method described
> in section 2.6 to get time critical changes like CRL updates.
>
> How about:
>
> An EE might not witness all of the Announcement messages when
> using the CoAP
> Observe option [RFC7641], since the Observe option is a
> "best-effort"
> approach and the server might lose its state for subscribers to its
> announcement messages. The EEs may use an alternate method
> described
> in section 2.6 to obtain time critical changes such as CRL updates.
>
> The next bullet I just do not understand:
>
> In order to to reduce the risks imposed by DoS attacks, the
> implementations SHOULD optimally use the available datagram size
> i.e. avoid small datagrams containing partial CMP PKIMessage data.
>
> Please explain what is meant here and/or rephrase it.
>
> Section 5:
>
> This document requires a new entry to the CoAP
>
> s/requires/adds
>
> This document also requires
>
> s/requires/adds/
>
> in the CMP protocol registry
>
> s/in/to
>
>
> Description: The path to send a Get request
>
> Should that be a "GET request" ?
>
>
> This document references the cmp, in the Well-Known URIs IANA
> registry. This document is expected to be published together
> with [I-D.ietf-lamps-cmp-updates]. Please add a reference of
> this document to the Well-Known URIs IANA registry for that entry
>
> This document also refers the path segment "p" in the Certificate
> Management Protocol (CMP) IANA registry. Please add a reference
> of this document to the Certificate Management Protocol (CMP)
> for that path segment.
>
> Please seperate the addition instruction for IANA from the RFC Editor
> instruction. Just state the additions as if the other documents were
> already published, and then add a note using [Note RFC Editor: ...]
> explaining this document should be published after the two referenced
> ones.
>
>
> [I-D.ietf-lamps-cmp-updates] and [I-D.ietf-lamps-lightweight-cmp-profile]
> are listed as informative references, but these should be normative
> references (as you point to sections in those documents for syntax)
>
>
> NITS:
>
> Here is the list of CMP announcement messages
>
> Do not use "here". Maybe just: The list of CMP ....... are:
>
> An EE MAY use CoAP Observe option
>
> s/use/use the/
>
> to get any announcement messages
>
> s/any/all
>
> If for some reason server cannot add
>
> s/server/the server
>
> A client on receiving
>
> s/on receiving/that receives
>
> allows the EE to receive
>
> s/the EE/an EE
>
> Since the CMP payload is same over CoAP and HTTP transfer
> mechanisms
>
> Since the CMP payload is the same wether using CoAP or HTTP transfer
> mechanisms
>
> Some recommended mechanisms are as follows:
>
> delete "as follows"
>
> Since the Proxy may have access to the CMP-Level
>
> s/may have/has
>
> therefore proper role based access control should be in place.
>
> s/therefore/, proper role based access controls should be deployed
>
> Proxy can be
>
> s/Proxy/Proxies
>
> to protect them
>
> s/to protect them/for protection
>
> The proxy however may itself be vulnerable to resource-exhaustion
> attacks
>
> s/The proxy itself can also be attacked by resource-exhaustion attacks
>
>
- [Ace] AD review of draft-ietf-ace-cmpv2-coap-tran… Paul Wouters
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Paul Wouters
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Saurabh Tripathi
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Paul Wouters
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault