[secdir] Secdir telechat review of draft-ietf-cbor-sequence-01

Stephen Kent via Datatracker <noreply@ietf.org> Fri, 06 September 2019 17:55 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D04A1120866; Fri, 6 Sep 2019 10:55:15 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Stephen Kent via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: draft-ietf-cbor-sequence.all@ietf.org, ietf@ietf.org, cbor@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.100.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Stephen Kent <kent@alum.mit.edu>
Message-ID: <156779251575.21899.11186203310854403491@ietfa.amsl.com>
Date: Fri, 06 Sep 2019 10:55:15 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/X6YZuWAypEITxYkmy590yW_vDRM>
Subject: [secdir] Secdir telechat review of draft-ietf-cbor-sequence-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2019 17:55:16 -0000

Reviewer: Stephen Kent
Review result: Ready

SECDIR review of draft-ietf-cbor-sequence-01

The summary of the review is Ready, with one suggested edit.

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving security requirements and
considerations in IETF drafts.  Comments not addressed in last call may be
included in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

The Abstract says that this short document describes the Concise Binary Object
Representation(CBOR) Sequence format and associated media type
"application/cbor seq". The document indicates that the motivation for this
extension of the base CBOR specification (RFC 7049) is to specify a format for
CBOR sequences, which allow incremental production and consumption of such
sequences while imposing minimal demands on a CBOR parser.

The Security Considerations section consists of just two, brief paragraphs. The
first says that the considerations of the base CBRO specification (RFC 7049)
apply, which seems reasonable. The Security Considerations section of that
document is well written. It discusses several types of potential
vulnerabilities associated with complex parsers, and notes that CBOR tries to
reduce the range of some type of attacks by striving to reduce parser
complexity.

This document notes that COSE (RFC 8152) can be employed if security services,
e.g., data integrity, are required. This too seems reasonable, since COSE
explicitly specifies mechanisms for offering such services for CBOR-formatted
data. The second paragraph of the Security Considerations section reminds the
reader that decoders (parsers) ought to be designed with the understanding that
inputs are untrusted – good advice. I’d be happier if the final sentence
changed “must” to “MUST” to reinforce this admonition.