Re: [Ace] Lars Eggert's No Objection on draft-ietf-ace-dtls-authorize-16: (with COMMENT)

[Stefanie Gerdes <gerdes@tzi.de>]

Hi Lars,

Thank you for your detailed comments, and sorry for the late reply. We
addressed the issues as suggested. Sorry for the late reply.

Thank you for your time,
Steffi


On 3/24/21 6:56 PM, Lars Eggert via Datatracker wrote:
> Lars Eggert has entered the following ballot position for
> draft-ietf-ace-dtls-authorize-16: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-ace-dtls-authorize/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Section 3.4, paragraph 4, comment:
>>    The resource server MUST only accept an incoming CoAP request as
>>    authorized if the following holds:
> 
> "MUST only" is odd, suggest to rephrase. (See below.)
> 
> -------------------------------------------------------------------------------
> All comments below are very minor change suggestions that you may choose to
> incorporate in some way (or ignore), as you see fit. There is no need to let me
> know what you did with these suggestions.
> 
> Section 11.1, paragraph 12, nit:
>>    [RFC8152]  Schaad, J., "CBOR Object Signing and Encryption (COSE)",
>>               RFC 8152, DOI 10.17487/RFC8152, July 2017,
>>               <https://www.rfc-editor.org/info/rfc8152>.
> 
> Unused Reference: 'RFC8152' is defined on line 1144, but no explicit reference
> was found in the text
> 
> Section 11.1, paragraph 16, nit:
>>    [RFC5077]  Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
>>               "Transport Layer Security (TLS) Session Resumption without
>>               Server-Side State", RFC 5077, DOI 10.17487/RFC5077,
>>               January 2008, <https://www.rfc-editor.org/info/rfc5077>.
> 
> Obsolete informational reference (is this intentional?): RFC 5077 (Obsoleted by
> RFC 8446)
> 
> Section 11.1, paragraph 22, nit:
>>    [RFC8613]  Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
>>               "Object Security for Constrained RESTful Environments
>>               (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019,
>>               <https://www.rfc-editor.org/info/rfc8613>.
> 
> Unused Reference: 'RFC8613' is defined on line 1208, but no explicit reference
> was found in the text
> 
> Section 3.2.2, paragraph 3, nit:
> -    To be consistent with [RFC7252] which allows for shortened MAC tags
> +    To be consistent with [RFC7252], which allows for shortened MAC tags
> +                                   +
> 
> Section 3.3.2, paragraph 3, nit:
> -    be consistent with the recommendations in [RFC7252] a client is
> +    be consistent with the recommendations in [RFC7252], a client is
> +                                                       +
> 
> Section 3.4, paragraph 4, nit:
> -    The resource server MUST only accept an incoming CoAP request as
> -                             ^^^^
> -    authorized if the following holds:
> -                                ^^ --
> +    The resource server MUST NOT accept an incoming CoAP request as
> +                             ^^^
> +    authorized if any of the following fail:
> +                  +++++++              ^^^
> 
> Section 7.1, paragraph 3, nit:
> -    [RFC7925] requires clients to decline any renogiation attempt.  A
> -                                                  ^
> +    [RFC7925] requires clients to decline any renegotiation attempt.  A
> +                                                 ++ ^
> 
> 
>