Re: [Cbor] Secdir telechat review of draft-ietf-cbor-sequence-01

Stephen Kent <stkent@verizon.net> Wed, 25 September 2019 14:12 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC4BA12006F for <cbor@ietfa.amsl.com>; Wed, 25 Sep 2019 07:12:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RssUsE_KfjDW for <cbor@ietfa.amsl.com>; Wed, 25 Sep 2019 07:12:13 -0700 (PDT)
Received: from sonic304-9.consmr.mail.bf2.yahoo.com (sonic304-9.consmr.mail.bf2.yahoo.com [74.6.128.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 661F612006E for <cbor@ietf.org>; Wed, 25 Sep 2019 07:12:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1569420732; bh=/jUoe/Eki5VBklrauras+K5XVkuSMe9844A6iHV33Uo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=LYa69tkAt2arzVYTfKHrZs9aEAWovmdnYng9CEnOGSRql7AEmGPwGH4+K332vvGBEvRDY4t7m1qFEbGmEfaW9xenlRSkurgyM970OXbX9NcmJNFs21Wj1p2QdzwLHgw3xQ+bs4nHbn7R1MyTPAaNddWr0l4Wcikb+Tso1fHbKiIorNGcDdU71DVDy/Tbg4XNGsoMBMng+N4o2N367F3/JFj6sQQCgyw+lQcYMxT49uDzAU4bwtX1wl6D05Sig2Mli51DQmNA0jxp09Ru2Q/jmaE/y2wH0M3iNBBK+DnwXgg+tUAMoH5zlyAkvMOllVfGY7+DMM2YiS6GQFVHC3PIxg==
X-YMail-OSG: v.a_QcwVM1mgxyVETnHVRuZFjNLPmi79hvb0.vKLbG3hHHYIqrRPZo6dbMktv7z wWx0wiHqpx_NrnGKuGK8ro_DWBoz3ITgSCslqfhXA64Ecl2kR8VLyBtOwd4BoVdpjYpKpwMr7STR .AbhxSSzdUjAbdojbv1Ey104A6BQHGQkQtNVAlnugt2RUd_9hMRMVjJ3mjwP27K_GSTcurBO.qYt BBz3IWzjdGllBH33t7IX4biT3UmjKCSIThe.pZMyionI5n3yabx.CByDZN8Lwox56SDNGYKBeEE. 8SyCd.Q0PSMm0wzuY9k56AoVJSD3bTQQAZMI19ARkIwGl_.CbWOpI.nhlV16HI3X_g9_6pBq6GG6 gSuDAoFgHBDI1vwHLo__.vBckCd5FOCdkCSEheyPGpYASOyMxURJ3IgPQzGjavHmVPc7m8ui7fVk 3JpQU4fneZa9kVeA9pC4vGDrnxTjOGr64U9Oxl8_OuU752BlmCdGjZLp1DVBTjqhJNabm.W4vUVJ l0AxDy0fWkJu7A8kQe.WEHCFBz8kWgYqmronqDDEK6sZYYk7r45Vx59e9Qdlmgh8TmnbPE8GJ1bh hCL7mvGNoAFU2tARfm1Yz5Q1bKrAY.2_7FYItjFENGyOrcM4o_NeANb0dRM53.cluuS44fiJKN64 TAIHEyRz8rLvxjfAWV6BcrsYE1uz0JTB1thFPq1QvTyNa.078L8xj0vP5ZI3ILznc.HYGi6k7Ezx mr8XM.sJM60hNkab74Qdwhqh6L2S5Ra8mfw5Qd0k1N5ZboNSlLPjDji_dI3ZEqdFKJcEHuiowScu tXVq1GaoEyaJWCXf2eY.zSWT7xP0m2zaGA8wr_aEqoPzlVfR_nnjmIzwCrXqiMHuCwaip.aohLrr ER35vb2HibAMuVdMJs6QSxK_eDDPP_REFmhzPhTsRH3QB4Qs8KJAGCRaN.UunOi_AtEAHFys4YOL GRW302FgpQD0uPupqhBIgg5IqhS.R3jCv1wF480vE810YMBTCdbHbEckpGUGAZrLEzFY0_7NpcSl wxS7GC3.53p7J3sslW5XKvFQfzEbEpkatN6QxCfoWmtKRPNhkk3.qYVnTvIUmlGWXI8tJxyMxAJ1 ycVlZzwjV8UiQw4FIJq9pmjKv1acckffp3sxYlr48yf_UCiZDmiiWbaSEffN3XjkpsHqKYeduWOC _bwVs2I4X4moFCPMVXyWe1dWnjua72CrTGp5x8E0eddbEGqsDPdGzY86dsG_c7bnuOG49zWNFs9A na1ECduxe9MkKB8QOyTCo0oqEalrBNqjrlEgH7_KYjKyKN_NWW_Cr8oSv9Wl2cd1GoIO8U8b1f4w ZtPKCzM4yOoyjiuaMxA--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.bf2.yahoo.com with HTTP; Wed, 25 Sep 2019 14:12:12 +0000
Received: by smtp412.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 90e859c14ae09ceeb1a6e4176b5f19a4; Wed, 25 Sep 2019 14:12:12 +0000 (UTC)
To: Carsten Bormann <cabo@tzi.org>, Stephen Kent <kent@alum.mit.edu>
Cc: secdir@ietf.org, draft-ietf-cbor-sequence.all@ietf.org, ietf@ietf.org, cbor@ietf.org
References: <156779251575.21899.11186203310854403491@ietfa.amsl.com> <9C5B6D0A-98DA-4A35-A8A9-ACA4FCDBB91F@tzi.org>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <42c37ccd-1660-1efd-5fa5-80f174a80d4d@verizon.net>
Date: Wed, 25 Sep 2019 10:12:09 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <9C5B6D0A-98DA-4A35-A8A9-ACA4FCDBB91F@tzi.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/6md26Q1h0NgjtzyIBqhJ1WRFr7U>
Subject: Re: [Cbor] Secdir telechat review of draft-ietf-cbor-sequence-01
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2019 14:12:16 -0000

Carsten,
> Hi Stephen,
>
> thank you for this review.
>
> On Sep 6, 2019, at 19:55, Stephen Kent via Datatracker <noreply@ietf.org> wrote:
>> The second paragraph of the Security Considerations section reminds the
>> reader that decoders (parsers) ought to be designed with the understanding that
>> inputs are untrusted ??? good advice. I???d be happier if the final sentence
>> changed ???must??? to ???MUST??? to reinforce this admonition.
> Here I have a question: It seemed to me that we generally try to avoid putting BCP14 keywords into security considerations sections ??? after all, the interoperability requirements should be handled in the actual protocol definition, not in the security considerations after the fact.
I am not aware of the convention you mention re BCP 14 keywords in the 
Security Considerations section. I'm pretty confident that I have seen 
the use of such keywords in other SC section sin the past
> This MUST would be an implementation requirement.  Is this something we want to do in a security considerations section?  RFC 3552 appears to be silent about this.

I don't think 3552 makes a statement on this topic either way.

Steve