[secdir] Secdir early review of draft-ietf-anima-constrained-voucher-11
Daniel Franke via Datatracker <email@example.com> Thu, 01 July 2021 00:04 UTC
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 315F63A30DC; Wed, 30 Jun 2021 17:04:41 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
From: Daniel Franke via Datatracker <firstname.lastname@example.org>
Cc: email@example.com, firstname.lastname@example.org
Reply-To: Daniel Franke <email@example.com>
Date: Wed, 30 Jun 2021 17:04:41 -0700
Subject: [secdir] Secdir early review of draft-ietf-anima-constrained-voucher-11
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Thu, 01 Jul 2021 00:04:41 -0000
Reviewer: Daniel Franke Review result: Not Ready I'm reviewing this document as a member of SecDir per the request for early review. I'm marking this as "Not Ready" principally because the whole Security Considerations section is "TBD". Having no prior familiarity with the ANIMA WG or its output, I found the introductory section of this draft rather bewildering. The document I wanted to read for background, RFC 8366, is cited a few sentences in, but the context didn't make it clear that this was where I wanted to look. Please provide a paragraph or so worth of background about the ecosystem that this draft lives in before launching into protocol-specific jargon like "voucher" and "pledge". You mention trying to conserve both network bandwidth and code size. I see how you're saving a bit of bandwidth by shortening URLs, using CBOR instead of JSON, and in some cases avoiding retransmission of public keys. But I'm not following where the code size wins come from. The procedure described in section 5.3.1 doesn't seem to save anything significant, since you still need a whole RFC 5280 implementation for the fallback path. You've given "ECDSA" as a mandatory-to-implement algorithm, but haven't specified what particular curves must be supported. Without this, you haven't gotten any closer to assuring interoperability. Appendix A looks like a funny thing to find in an RFC. Are you planning to have the RFC Editor remove this prior to publication, like you'd do for an "Implementation Status" section? If so, you should include an explicit instruction to that effect.
- [secdir] Secdir early review of draft-ietf-anima-… Daniel Franke via Datatracker
- Re: [secdir] [Anima] Secdir early review of draft… Michael Richardson