[secdir] Secdir last call review of draft-ietf-cbor-edn-literals-09

Rifaat Shekh-Yusef via Datatracker <noreply@ietf.org> Mon, 27 May 2024 14:10 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DE51C18DBB4; Mon, 27 May 2024 07:10:48 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Rifaat Shekh-Yusef via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.13.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <171681904824.4732.13257098186796399236@ietfa.amsl.com>
Message-ID-Hash: LX2HUWOJFMUD6D3ENC67B32CQWDICK43
X-Message-ID-Hash: LX2HUWOJFMUD6D3ENC67B32CQWDICK43
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cbor@ietf.org, draft-ietf-cbor-edn-literals.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Reply-To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Subject: [secdir] Secdir last call review of draft-ietf-cbor-edn-literals-09
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/mJ48Y2vyRoNSnHfXR12tsz0lo7U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Date: Tue, 28 May 2024 07:47:23 -0000
X-Original-Date: Mon, 27 May 2024 07:10:48 -0700

Reviewer: Rifaat Shekh-Yusef
Review result: Has Nits

In CBOR, Extended Diagnostic Notation (EDN) is a diagnostic format, that is
used to facilitate documentation and debugging.

RFC8949, section 8, explicitly states these diagnostics are not meant to be
parsed, which means that these diagnostics do not introduce any new security
issues.

This document describes how to add application specific extensions to EDN. The
security section of this draft does not discuss the implication of this
directly, but instead points to RFC8610 and RFC8949. Because, as stated above,
these diagnostics are not meant to be parsed, this document implies that there
are no new security implications associated with these new extensions.

If this is the case, it would be nice to add a sentence or two to help the
reader get to this conclusion directly, instead of just pointing the reader to
the other documents.