[core] draft-ietf-core-oscore-groupcomm-26 ietf last call Secdir review
Mališa Vučinić via Datatracker <noreply@ietf.org> Tue, 29 July 2025 05:31 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: core@ietf.org
Delivered-To: core@mail2.ietf.org
Received: from [10.244.4.86] (unknown [104.131.183.230]) by mail2.ietf.org (Postfix) with ESMTP id CEDCF4C88804; Mon, 28 Jul 2025 22:31:51 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Mališa Vučinić via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.44.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <175376711166.663.8166556304910557857@dt-datatracker-5bd446d5fd-c47nq>
Date: Mon, 28 Jul 2025 22:31:51 -0700
Message-ID-Hash: 2P23TLCZRCTYB42CUG6275I55HZZZKZW
X-Message-ID-Hash: 2P23TLCZRCTYB42CUG6275I55HZZZKZW
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-core.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: core@ietf.org, draft-ietf-core-oscore-groupcomm.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Mališa Vučinić <malisa.vucinic@inria.fr>
Subject: [core] draft-ietf-core-oscore-groupcomm-26 ietf last call Secdir review
List-Id: "Constrained RESTful Environments (CoRE) Working Group list" <core.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/ajuqkVKvpUvTB1QdIUhnJyh4LtU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Owner: <mailto:core-owner@ietf.org>
List-Post: <mailto:core@ietf.org>
List-Subscribe: <mailto:core-join@ietf.org>
List-Unsubscribe: <mailto:core-leave@ietf.org>
Document: draft-ietf-core-oscore-groupcomm Title: Group Object Security for Constrained RESTful Environments (Group OSCORE) Reviewer: Mališa Vučinić Review result: Ready I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document specifies a group communication mode of OSCORE (RFC8613). As per this document, the endpoints in a group can communicate using a “group” mode and a “pairwise” mode. The group mode requests are source-authenticated using a countersignature, while pairwise exchanges are symmetrically-protected using a secret derived from a static-static DH key agreement algorithm. The document reuses the elements of OSCORE and complements the processing with actions dependent on the mode used. The document is well written and thorough. The constructs used seem solid and ensure the (nonce, key) pair uniqueness. Specifically on the Security Considerations section, the section details a number of implications on security and also details the security properties in group mode. One point I would like to make is that the pairwise mode deserves a clear list of claimed security properties, similar to how the group mode is discussed in Section 14.1. Also, it could perhaps be useful to discuss the security properties this specification does not aim to meet, specifically in comparison with other similar protocols like e.g. RFC9420.
- [core] draft-ietf-core-oscore-groupcomm-26 ietf l… Mališa Vučinić via Datatracker
- [core] Re: draft-ietf-core-oscore-groupcomm-26 ie… Marco Tiloca