Re: [Gen-art] Genart last call review of draft-ietf-ace-oscore-profile-11

Benjamin Kaduk <> Mon, 27 July 2020 18:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D48C3A1B94; Mon, 27 Jul 2020 11:01:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id otWviUKgdzM9; Mon, 27 Jul 2020 11:01:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C58523A1B40; Mon, 27 Jul 2020 11:01:50 -0700 (PDT)
Received: from ([]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 06RI1fcJ010082 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 27 Jul 2020 14:01:44 -0400
Date: Mon, 27 Jul 2020 11:01:41 -0700
From: Benjamin Kaduk <>
To: Elwyn Davies <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-ace-oscore-profile-11
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 27 Jul 2020 18:01:58 -0000

On Tue, Jul 21, 2020 at 03:56:07PM -0700, Elwyn Davies via Datatracker wrote:
> Reviewer: Elwyn Davies
> Review result: Almost Ready
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> For more information, please see the FAQ at
> <>.
> Document: draft-ietf-ace-oscore-profile-11
> Reviewer: Elwyn Davies
> Review Date: 2020-07-21
> IETF LC End Date: 2020-07-20
> IESG Telechat date: Not scheduled for a telechat
> Summary:  Almost ready.  There is one minor issue that needs sorting out and a
> fair number of nits.  Overall I have to say that I found it difficult to keep
> clear in my mind what messages were fully encrypted and which ones were sent en
> clair and which are in some intermediate class.  The authors might wish to go
> back over the document from the point of a naive reader to ensure that it is
> clear for implementers.
> Major issues:
> None
> Minor issues:
> s2, para 5:  Where does the 'input salt' come from?  The term is not used
> anywhere else in this document and  isn't defined or mentioned in either
> dreft-ace-oauth-authz or RFC 8613.

Hmm, it looks like this was introduced in the -09 as a result of one of my
review comments (as the formulation in the -08 implicitly had the name
"Master Salt" refer to both the string with and without N1+N2).  I think I
forgot enough of how this works that the authors will need to chime in with
an appropriate clarification of where the original ("input") salt comes

Thanks for spotting that (as well as the other comments),