[Lwip] Secdir early review of draft-ietf-lwig-curve-representations-08

Russ Housley via Datatracker <noreply@ietf.org> Tue, 26 November 2019 17:58 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: lwip@ietf.org
Delivered-To: lwip@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8B3120A2D; Tue, 26 Nov 2019 09:58:22 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Russ Housley via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: lwip@ietf.org, draft-ietf-lwig-curve-representations.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.111.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Russ Housley <housley@vigilsec.com>
Message-ID: <157479110201.13605.6894641490219218764@ietfa.amsl.com>
Date: Tue, 26 Nov 2019 09:58:22 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/SCbOq3eqhO_3Y51pEAlaGbDdrcA>
Subject: [Lwip] Secdir early review of draft-ietf-lwig-curve-representations-08
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 17:58:22 -0000

Reviewer: Russ Housley
Review result: Has Issues

I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-lwig-curve-representations-08
Reviewer: Russ Housley
Review Date: 2019-11-26
IETF LC End Date: unknown
IESG Telechat date: unknown

Summary: Has Issues


Major Concerns:

I am confused by the first paragraph in Section 10.  It says that "An
object identifier is requested ...", but then code points for COSE
and JOSE (not object identifiers) are requested in the subsections.

I am confused by the second paragraph in Section 10.  It says that
"There is *currently* no further IANA action required ...".  Please
delete this paragraph.


Minor Concerns:

Requirements Language section is out of date.  It should reference
RFC 8174 in addition to RFC 2119, as follows: 

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Section 2 says: "... reuse of existing generic code ...";  I do not know
what is meant by "generic".  It either needs to be defined, reworded, or
dropped.  I note that elsewhere in the document "existing code" is used.

I expected Section 9 to say something about public keys being unique
identifiers of the private key holder.

Some introduction text at the beginning of each Appendix would be very
helpful.  Please tell the reader what they will learn by delving into
the subsections of the appendix.


Nits:

Section 4.2 says: "... at the end of hereof ...".  This does not tell
me anything useful.  I suggest deleting this phrase.

I suggest turning the numbered paragraphs in Section 5 into subsections.