[Lake] Review of draft-ietf-lake-edhoc-12

Marco Tiloca <marco.tiloca@ri.se> Wed, 03 November 2021 16:26 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 389143A0A49 for <lake@ietfa.amsl.com>; Wed, 3 Nov 2021 09:26:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYRceS0BCys1 for <lake@ietfa.amsl.com>; Wed, 3 Nov 2021 09:26:15 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60088.outbound.protection.outlook.com [40.107.6.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB3253A0A60 for <lake@ietf.org>; Wed, 3 Nov 2021 09:26:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EVlFGe6J2kk74nRVWMdxdD3qNiI42YJXyQt+K8fSgKXZJWAbe8EMAkEtczRmo2NDKUtUZ1qPYqi5Z4nB2FThViqEkQTYe0fmF6AkT7Cqn2LXyc4+XNadMYqdNamiwfodQtGPZScAjDoRJHRpqEqBZUCVe7r1ZuIYB7MqKU+wyBpee4AMtBzJYESLM2sm9PpkV0DvY9RD472+QYGS8cc2sYUmWqVtUGDZYXfzJvFoG6+4+iTK2pDJ92PKvFyl/V66xtrmKJXWs719z9orL8ZPP9uLk7CHH5hL2mFbapG5GmhFZr+3mmcEa2kx1v7txQixnHK+qXBPjpSyIEjp9FVCqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/BPyi2t7qf7rm0peDbJH+p0tMTcLTR94UBOBU8HjBWg=; b=FtZ4tSa8qA3FoVgL6a/y7OKDIr5EPaDDOZhW8RgyCr3YosaCaeyPIvVXRfXSUP5t6XpfUGkfsNeFzi8rUbTKzXii7bDLFK+hwfovXINrnGK7MnT/yW8jPPxJ/mG7kZTmIQayBwhfXc5Q8K3U+M21qL5WpxoGqI9rpAITKpyhR+Ipj56q8zTRU+cKnRa4mEH7r6seflYVQXbweAoRU5+AU55j1cergB/zxLQiDz6XZqwrZyjT76vGqWo66Hcn78bIwFz24oqcim6+UAjRghp8WNjWOd5ldNCRBfv2FK/i1xsu23F5LA0eUb3tb379DRSfG0jnhJiUnkTdyXAfn0CLWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/BPyi2t7qf7rm0peDbJH+p0tMTcLTR94UBOBU8HjBWg=; b=hBPkTl2AwWYM3eT8zkuVSfuIV5w7XADXZCX1mXAHhM6VBgRA4pn06at1aWNrvV1gOVVFF2Z435/NEBqHBlkacVipfmbXR1+C3NDBYtehDYQ41gY7LerefpuEXIJpwXMxEd4w09YD3Q1m9pJuL1G5viQQQYcYpjNm7+4k+65oltg=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14) by DB9P189MB1578.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:2a6::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Wed, 3 Nov 2021 16:26:10 +0000
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::4dd0:ed4b:e776:d560]) by DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::4dd0:ed4b:e776:d560%3]) with mapi id 15.20.4669.011; Wed, 3 Nov 2021 16:26:10 +0000
To: "lake@ietf.org" <lake@ietf.org>
From: Marco Tiloca <marco.tiloca@ri.se>
Message-ID: <5bc7e680-1513-f838-1188-8e2b67630430@ri.se>
Date: Wed, 3 Nov 2021 17:26:08 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="upQwiB3eirFMDN3CJIz7aOreKPcWJ4dIe"
X-ClientProxiedBy: GV3P280CA0069.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:a::30) To DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14)
MIME-Version: 1.0
Received: from [10.8.1.2] (45.83.91.172) by GV3P280CA0069.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:a::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.10 via Frontend Transport; Wed, 3 Nov 2021 16:26:10 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 724400ca-1580-4af0-4c74-08d99ee6a586
X-MS-TrafficTypeDiagnostic: DB9P189MB1578:
X-Microsoft-Antispam-PRVS: <DB9P189MB1578697EDA3212595D1F1A3C998C9@DB9P189MB1578.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:7691;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: EYLu1pb108QE282MosYSA7W9pr9P43HIlhUfdOsdyzhzo2uGY4gWtxqyEGp5hH+K0F5vDKx+SQRFKiQ2WeDmT41Xudm35CVXY6vBy1OFbnHjh7ALWpDj91DiYAxVl5pmZfF8Vkz6kJvTbiwk6aP81k21XBGeyMQEZ/EHeQuOXhZrv6awBdpPavjFxH5zZ0Drv1Uro6eyghWWDLB8iCHxSk78fFpZ+Y0uJAcqHgbhxmn4WsWyqK6ub5HV9ahxvZYRlRz8Vv+OtW8rYLHUw8Oll7aMXa/kkEFlERiVhBDr4XqcE38VehF4eFWzR6bdMs1pR5IJ2W2yqfvjsUnGkVo+KtLKNCeg96yyO6fLf9l7sY4SpAUsLGjOoMcDO/XsJjhqxUeyJ+HC/QMwk4lLYKkCCO/15qSWpuhtw86ETMKHueHtKmHMQhH8nrZM44cSMGT5vfE2r/Qx97CMMUEnfSrwxHDCoFB4F1VdK7g0Yi6vSDStV2M4lhtcfBtaaNh7jCsF3MK0kwgc2hGPmLquLBlbyQWz1KNexY62Dby/Mr130LSZqUIpWGr+/CmHiPMpEw9czvxJstJum5VAnK7F/TI3qDo0kGj6x3TGsb5uQl462YbK++W+WieOrIVwIJrP7gcsQgEiYmmfxZ2gb+M1CS+JnWr64tGIoruEgL0S8AbUKHQRF9Qqbrjcw833W7HUXtF3wzydCEKeEwgaFEtoPLNjB5lVZvvcSl+XOXb8+cLuB0KCHotrtuWIrU8/mrsCU1S6aAAfCVnnNtR7p4TZewfW9q0F/IwWVYevzt2UBXz0GTl3tADBh0wclvafHMQtU9VP8k8EmkYQML8GIdFcbULWlg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P189MB1032.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(66574015)(36756003)(956004)(8676002)(5660300002)(38100700002)(186003)(8936002)(316002)(86362001)(21480400003)(508600001)(31696002)(26005)(66476007)(66556008)(966005)(66946007)(2616005)(6486002)(31686004)(30864003)(44832011)(6916009)(235185007)(2906002)(16576012)(33964004)(83380400001)(43740500002)(45980500001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?TkMzSG4vMWdJRldnaU5vOFFscjQvR1dIMSt2a09aTEpBT1R0czc0UDl3bmNa?= =?utf-8?B?THlub2xoLzQ5VmZjWHFXdzA5cTIxUklVZlI0MUdaMjFlRU1RNTNmdGtPc3FI?= =?utf-8?B?WGgrdjVuS3M3cXpkcmVtWHFqcGt4c2FwLzZQOUZJU1FzQlRsRitScnJpNUdM?= =?utf-8?B?RkVZbzZqdkprTkkyWmVEaVhkWEhDcUtQVzBSQXltbHBlRjQ0c2N2YUtXWlVQ?= =?utf-8?B?eENJa05IeHlMNS9VN2JQMGQ3bDhPMTE5Q0J6dTNId1RLRW9wVS9GZVJPbE5N?= =?utf-8?B?UkJwTWZ6bjRLUUVVSmxhMGJXcS9jQy9HdHBLOEZHTlRZaEFsUTFnQzhSbjho?= =?utf-8?B?b2dzK3kzUUNFS3pEdFZUSldiRmlPR1BXRCt2Z3U3U1pmaHNHOXc5aEgrdVYy?= =?utf-8?B?TTZ4emNoakNVeGZRaEhZeVp3d2JHVDVScmc4bmZuMnZGL1JqN2hIY0FoUnpm?= =?utf-8?B?djZtV01aMml2V01QMDFud2c1enpnVWhNK08vaDdjZEV3aVdubHhFM1hGM0ha?= =?utf-8?B?cFloTlA4VmJnakJaVVNqbTZYanpaTUhjTnoreGxTQXI3cXpSaXlxNER5QzBS?= =?utf-8?B?YVVyZFYwdkVCdFd5NExCMFhacHVLNjEyNEZpNUN5Z1YzY0RnREkyMGEvZnJT?= =?utf-8?B?dVdaMjRXU3NEY3RYYVJMRnFCbU9UMjd1djBlbGlneHZieVlWRkF5TGlTUXhZ?= =?utf-8?B?SFdDTTZRZi9UdStlS1kyWndtSkdoc0E4SE5PU2o1dHlCWTIrWWxNcGJhM29J?= =?utf-8?B?cXp5WC9pZ0F4TE1DVHVjcjVTME5YQUhEMUx3dWxIVFgrak5reUc2aDVkRVVC?= =?utf-8?B?b0lVUWtFazVMRlJON1V1L3lMU2JNTzBseWZYemh0MlFzcjNxMDdDdE1zVWk5?= =?utf-8?B?YStvYXhSRFVTL2JqMkN4Uk1UTlZxOENnQ0ZGRUt5NkZYVlNUYVNzNFBKSC9H?= =?utf-8?B?aVU1aFQ3clJIb1dMQUNaRmoyWjNabFRmcmxuVlJpajVJWThUdkRGSkhUcW9O?= =?utf-8?B?eHpDbVVNMk9RRXQ2VHQ1ODZVYXFvS2dHT3luNnBKMVM0d3NBMTErRUJJc1hv?= =?utf-8?B?eXRUdTErUG41L2E1M21ubm9vOFB2eVlZeUgzV21zbU92TWhla2hsZW92ZW9F?= =?utf-8?B?R3hlL1ZiMWxDc05lOEZpaERiZjRBaGFZQ3BxWngyTk1aU3VjZXRhK0NrNjFi?= =?utf-8?B?Q2s1ZTNxdUQ4eW0vWHd1QmU0WUlQVGxlMjJzY3JRZ0F1OXF0dFJHVGFFMFRh?= =?utf-8?B?VFZoaEhUM0xyZXVoc3c4VjV0dGNqSUZSYlNST25FRlBRZGFZUXlpU2JuYXk3?= =?utf-8?B?d0s2aHVJdWpJeEVVWlR1Q1JsL0x1dnhNdk5JU240UzFDL2wxM2ZTdzdhdDFO?= =?utf-8?B?RWpuUXg3dlhQSmFiVTBhQjBUTHBad3lMbVJqU1ZubDNIb1hCajlNTU5LQnJ2?= =?utf-8?B?VjNWNjVYYkFUV3dnWWIrVmhEOFZOb2hWT2pmclJQb0drWFRMUUJnMENCT09P?= =?utf-8?B?d0VISGVHbGRjQWYwK3N5bWw2Zlg1VG1DdEtWTGpWclhxc0huWldOejF0d0ZG?= =?utf-8?B?WUpCUVZZaXFIdE5hakhZd1dueEwrQVhEWVhMWlRoWU5OQ3dmRU9HTXZyZDdS?= =?utf-8?B?NTVzUjRKQXZxcmhHem9hUit2Z0NGRmJvb004aUZ0MWV5dE1VM3VqMHZPUkFz?= =?utf-8?B?dXRUWEdZUjU0TGx0dzh0YTNFQWpKaXVjUFJEZ2c0WlBhUk13d3NZQVVnOVZV?= =?utf-8?B?eXd5aUdNMFYwb3YzMDlJN05LTjFqcjZQa1JVeEs5R3ZCZXdyMzNVU0JyTXB3?= =?utf-8?B?NDdtWlplRWxwbmZGNzRDc0RaVUVPWnk1SXhXOE9EQmx5Q0xnOXV1cWpXYnlw?= =?utf-8?B?ZzJ5bG84UU56OEdNbys2bHp1bWRaMG5hYXovUUhiUEN4UGpBalVlancxTXMw?= =?utf-8?B?ZjR0ZlBIaGJpVHQ2NGtJeUZhTHNGMW9VV3JzdlBoSjAyNi9ibFJTZitFK29B?= =?utf-8?B?a0oxanBQZTRFQjBuNlY4R0hZalR4VWpVMUVudFB5azVVQjhscWFZMlo0cXZE?= =?utf-8?B?SEpBUlVJZE9xdXJHdTk0VWcwRXRvaVhZKzBzQkRKdTFJNjRFMS9MeENRakFs?= =?utf-8?B?ZnRBV1VhZ0dkSktGcXNFekkwNDQ2VVlwTlk0Z1RHY0ZmY2grcWFackZpbnhF?= =?utf-8?Q?bhYLDdbO4Ui4zeZvb3pux0c=3D?=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 724400ca-1580-4af0-4c74-08d99ee6a586
X-MS-Exchange-CrossTenant-AuthSource: DB8P189MB1032.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Nov 2021 16:26:10.7778 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: gDyr6Iw2tog4i06gWwuaXNYwcITu1cz2XLxb2zbE2SR009LM6Xn5mPnjbnFYay9WnX5WfRTnyI/EIhXNE7+WvQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9P189MB1578
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/H9VmTuS5XUL4H72NF6jpVtQ40yQ>
Subject: [Lake] Review of draft-ietf-lake-edhoc-12
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2021 16:26:20 -0000

Hi all,

As promised, please find below my review of EDHOC v -12.

Best,
/Marco

=============

[Section 1.1]

* "This specification focuses on referencing instead of transporting 
credentials to reduce message overhead."

    It is possible to transport credentials both by reference and by 
value. What suggests the case of transport by reference to be the 
"focus"? Perhaps you mean that it is possible and preferable/recommended 
to transport credentials by reference?

* "future algorithms and credentials targeting IoT"

    This probably means "future algorithms and identity credential types 
targeting IoT".

* s/compromise of the long-term keys/compromise of the long-term 
identity keys


[Section 1.3]

* s/the number of bytes in EDHOC + CoAP can be/the EDHOC message size in 
bytes when transferred in CoAP can be


[Section 1.5]

* "and CDDL [RFC8610]. The Concise Data Definition Language (CDDL) is 
used to express CBOR data structures [RFC8949]"

    can be rephrased as:

    "and the Concise Data Definition Language (CDDL) [RFC8610], which is 
used to express CBOR data structures [RFC8949]"


[Section 2]

* "Verification of a common preferred cipher suite"

    Shouldn't this say: "Verification of a commonly supported cipher 
suite which is most preferred by the Initiator" ?


[Section 3.2]

* In Figure 4, the second and third column can rather have labels 
"Initiator Authentication Key" and "Responder Authentication Key".


[Section 3.3]

* "or in a subsequent application protocol"

    can be expanded as:

    "or of an application/security context in a subsequent application 
protocol"


[Section 3.4.1]

* "EDHOC transports that do not inherently provide correlation across 
all messages of an exchange"

    can be rephrased as:

    "Transports that do not inherently provide correlation across all 
EDHOC messages of an exchange"


[Section 3.5.1]

* "The EDHOC implementation or the application must enforce information 
about ..."

    can be rephrased as:

    "The EDHOC implementation or the application must take a decision on 
allowing or not a connection based on information about ..."

* s/if it is allowed to communicate with/if it is allowed to communicate 
with those


[Section 4.3]

* The context can for example be the empty (zero-length) sequence or a 
single CBOR byte string.

    Isn't the context supposed to be just a single CBOR byte string? See 
how it is defined in Section 4.2 when introducing Expand.

* s/where H() is the hash function/where H() is the EDHOC hash algorithm


[Section 5.1]

* s/a second time for EDHOC processing/a second time for EDHOC 
processing within the same ongoing session


[Section 5.2.3]

* "If an error message is sent, the session MUST be discontinued."

    Is this sentence actually required? Regardless sending an error 
message or not, the session is discontinued if any processing step 
fails, which is the reason for possibly sending an error message. Or are 
there situations where an error message is sent even if no processing 
step fails?


[Section 5.3.1]

* "G_Y, the ephemeral public key of the Responder, and ..."

    Just to avoid any risk to interpret this as the concatenation of 
three elements, I suggest to rephrase as:

    "G_Y (i.e., the ephemeral public key of the Responder) and ..."


[Section 5.3.2]

* s/H() is the hash function in/H() is the EDHOC hash algorithm in

* "is the 'signature' field of a COSE_Sign1 object as defined in Section 
4.4 of [I-D.ietf-cose-rfc8152bis-struct] using the signature algorithm ..."

    should be rephrased as:

    "is the 'signature' field of a COSE_Sign1 object as defined in 
Section 4.2 of [I-D.ietf-cose-rfc8152bis-struct], computed as defined in 
Section 4.4 of [I-D.ietf-cose-rfc8152bis-struct] by using the signature 
algorithm ..."


[Section 5.3.3]

* "If an error message is sent, the session MUST be discontinued."

    Is this sentence actually required? Regardless sending an error 
message or not, the session is discontinued if any processing step 
fails, which is the reason for possibly sending an error message. Or are 
there situations where an error message is sent even if no processing 
step fails?


[Section 5.4.2]

* s/H() is the hash function in/H() is the EDHOC hash algorithm in

* "is the 'signature' field of a COSE_Sign1 object as defined in Section 
4.4 of [I-D.ietf-cose-rfc8152bis-struct] using the signature algorithm ..."

    should be rephrased as:

    "is the 'signature' field of a COSE_Sign1 object as defined in 
Section 4.4 of [I-D.ietf-cose-rfc8152bis-struct], computed as defined in 
Section 4.4 of [I-D.ietf-cose-rfc8152bis-struct] by using the signature 
algorithm ..."

* s/as defined in Section 5.3 of [I-D.ietf-cose-rfc8152bis-struct]/as 
defined in Sections 5.2 and 5.3 of [I-D.ietf-cose-rfc8152bis-struct]


[Section 5.4.3]

* s/or the prepended C_I/or the prepended C_R

* s/as defined in Section 5.3 of [I-D.ietf-cose-rfc8152bis-struct]/as 
defined in Sections 5.2 and 5.3 of [I-D.ietf-cose-rfc8152bis-struct]

* "If an error message is sent, the session MUST be discontinued."

    Is this sentence actually required? Regardless sending an error 
message or not, the session is discontinued if any processing step 
fails, which is the reason for possibly sending an error message. Or are 
there situations where an error message is sent even if no processing 
step fails?

* s/no other party than the Responder/no other party than the Initiator


[Section 5.5]

* "In deployments where no protected application message is sent from 
the Responder to the Initiator, the Responder MUST send message_4."

    Consider to rephrase as:

    "In deployments where no protected application message is sent from 
the Responder to the Initiator, message_4 MUST be supported and the 
Responder MUST send message_4"


[Section 5.5.2]

* s/as defined in Section 5.3 of [I-D.ietf-cose-rfc8152bis-struct]/as 
defined in Sections 5.2 and 5.3 of [I-D.ietf-cose-rfc8152bis-struct]


[Section 5.5.3]

* s/as defined in Section 5.3 of [I-D.ietf-cose-rfc8152bis-struct]/as 
defined in Sections 5.2 and 5.3 of [I-D.ietf-cose-rfc8152bis-struct]

* "If an error message is sent, the session MUST be discontinued."

    Is this sentence actually required? Regardless sending an error 
message or not, the session is discontinued if any processing step 
fails, which is the reason for possibly sending an error message. Or are 
there situations where an error message is sent even if no processing 
step fails?


[Section 6]

* s/error SHALL be/An error message SHALL be


[Section 6.3]

* "Error code 2 MUST only be used in a response to message_1 ..."

    can be rephrased as:

    "Error code 2 MUST only be used when replying to message_1" , 
avoiding to use words like "request" and "response".


[Section 6.3.2]

* s/the Responder shall only accept message_1 if/the Responder SHALL 
accept message_1 only if

* The last two paragraph are not further comments on the examples, but 
are rather related to the cipher suite negotiation. I think they better 
fit as last paragraphs of Section 6.3.1.


[Section 8]

* "Compromise of PRK_4x3m leads to compromise of all exported keying 
material derived after the last invocation of the EDHOC-KeyUpdate function."

    I suggest to expand as follows:

    "Compromise of PRK_4x3m leads to compromise of all exported keying 
material derived from that key through the EDHOC-Exporter function. If 
the EDHOC-KeyUpdate function has been used to renew PRK_4x3m, the 
compromise is limited to the exported keying material derived from the 
PRK_4x3m installed after the last invocation of the EDHOC-KeyUpdate 
function."


[Section 8.6]

* The way the first paragraph starts is probably a remnant of when CoAP 
was still part of the document body rather than in Appendix A. Also, as 
later discussed in Appendix A.3, the Echo exchange is started by a CoAP 
server, regardless if it acts exactly as Responder. I suggest to 
rephrase the paragraph as follows.

    "EDHOC itself does not provide countermeasures against 
Denial-of-Service attacks. In particular, by sending a number of new or 
replayed message_1 an attacker may cause the Responder to allocate 
state, perform cryptographic operations, and amplify messages. To 
mitigate such attacks, an implementation SHOULD rely on lower layer 
mechanisms. For instance, when EDHOC is transferred  as an exchange of 
CoAP messages, the CoAP server can use the Echo option defined in 
[I-D.ietf-core-echo-request-tag], which forces the CoAP client to 
demonstrate its reachability at its apparent network address."


[Section 8.7]

* "... but intended to simplify ..."

    Since "security context" is mentioned in the following sentences, it 
is better to explicitly mention that they are referring to the 
application protocol and not to EDHOC anymore.


[Appendix A.3]

* "EDHOC message_2 or the EDHOC error message is sent from the server to 
the client in the payload of a 2.04 (Changed) response. EDHOC message_3 
or the EDHOC error message is sent from the client to the server's 
resource in the payload of a POST request. If needed, an EDHOC error 
message is sent from the server to the client in the payload of a 2.04 
(Changed) response."

    This text should also be a remnant of old versions. When using EDHOC 
for OSCORE, EDHOC error messages as CoAP responses are sent as error 
responses, see the first paragraph in Appendix A.3.1. The text above can 
rather, more generically, be:

    "The server sends to the client EDHOC message_2 in the payload of a 
2.04 (Changed) response, or an EDHOC error message in the payload of a 
response. If needed, the client sends to the server an EDHOC error 
message in the payload of a POST request. Otherwise, the client sends to 
the server EDHOC message_3 in the payload of a POST request. If needed, 
the server sends to the client an EDHOC error message in the payload of 
a response."


[Appendix A.3.1]

* The last sentence can be extended, to mention what additionally is 
defined in draft-ietf-core-oscore-edhoc, besides the EDHOC+OSCORE 
request. This includes especially: a deterministic and efficient 
conversion from OSCORE Sender/Recipient IDs to EDHOC connection 
identifiers; web-linking and target attributes for discovering of EDHOC 
resources.


[Nits]

* Three instances of "key material" should be "keying material" for 
consistency.

* Section 3.3.1, s/and sends in message_2/and sends it in message_2

* Section 3.3.2, s/and a EDHOC connection/and an EDHOC connection

* Section 3.6
--- s/pre-defined int label/pre-defined integer label
--- s/Implementation can either use/Implementations can either use

* Section 3.7, s/requires an 'y' parameter/requires a 'y' parameter

* Section 3.8, s/protected out of scope of EDHOC/whose protection is out 
of the scope of EDHOC

* Section 3.9
--- s/verifying cipher suite/verifying a cipher suite
--- s/know identity of Responder/know identity of the Responder
--- s/know identity of Initiator/know identity of the Initiator

* Section 4.3, s/same key kan be/same key can be

* Section 5.1, s/then process according to Section 6, else process 
as/then process it according to Section 6, else process it as

* Section 5.3.2, s/facilitate retrieval of/facilitate the retrieval of

* Section 5.4.2
--- s/facilitate retrieval of/facilitate the retrieval of
--- s/intialization vector/initialization vector
--- s/or derived application keys/or derive application keys

* Section 5.4.2, s/intialization vector/initialization vector

* Section 6.3.2, s/then Responder MUST discontinue/then the Responder 
MUST discontinue

* Section 8, s/protection is provided/protection are provided

* Section 8.2
--- s/and instead rely/and instead relies
--- s/the Responders identity/the Responder's identity
--- s/Requirement for how/Requirements for how

* Section 8.6
--- s/forces the initiator/forces the Initiator

* Section 9.6, s/an CWT Claims Set/a CWT Claims Set

* Section 9.14, s/is defined as/are defined as

* Appendix A.3, s/using resource directory/using a resource directory

* Appendix B, s/compatibily/compatibility

* Appendix C.1, s/dignostic/diagnostic

* Appendix E
--- s/which does not handle/which do not handle
--- s/with respect the current/with respect to the current

* Appendix F, s/for message 1/for message_1


-- 
Marco Tiloca
Ph.D., Senior Researcher

Division: Digital System
Department: Computer Science
Unit: Cybersecurity

RISE Research Institutes of Sweden
https://www.ri.se

Phone: +46 (0)70 60 46 501
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)