[secdir] Secdir last call review of draft-ietf-cellar-ebml-09

"Valery Smyslov" <valery@smyslov.net> Mon, 11 February 2019 08:46 UTC

Return-Path: <valery@smyslov.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 58825130E11; Mon, 11 Feb 2019 00:46:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=smyslov.net
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id h2G2lWVViJZo; Mon, 11 Feb 2019 00:46:48 -0800 (PST)
Received: from direct.host-care.com (direct.host-care.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92F69128AFB; Mon, 11 Feb 2019 00:46:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smyslov.net ; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID :Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JtwQQzqP5qicuBL6htnBwqRcA2AMT/F/sK75hS1mdqc=; b=RikmaSCuN0ngLr82dV6wR8UWDP +d5g76DFNfK20/Whd7BQ3Yx7QdpLNQSIGCcH/3WXuZCrjHXkBxC9KTGUwKSAErsAoskEHbwanG/ff 0ra49aXq8G8DFSmYV/hJWa28yX1PeE43ECpBfMTJLrT4uNecoN6MXKJCwE0TFIfB4PS+ycaSQtu1W Z5KkglBJBEXHsoGHJbvrrt3uLtZXYsSwu6SNjGsnGG07lq46Ouu2op+10nBUI4VdVEA8alMrn6IkB xETpr7pmFNCu1RelcciyXnnOpeWQikqUtOxYVs7jAfqpgtWzY+wW2e1852ptzltGTuCqiMrPWUqaJ J0kJNp7A==;
Received: from [] (port=62884 helo=buildpc) by direct.host-care.com with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.91) (envelope-from <valery@smyslov.net>) id 1gt7Ek-0006KR-25; Mon, 11 Feb 2019 03:46:46 -0500
From: Valery Smyslov <valery@smyslov.net>
To: secdir@ietf.org
Cc: draft-ietf-cellar-ebml@ietf.org, cellar@ietf.org, ietf@ietf.org
Date: Mon, 11 Feb 2019 11:46:43 +0300
Message-ID: <01b601d4c1e6$525c3340$f71499c0$@smyslov.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdTBKMjRCa04fHCsTzSnxP+tbMt+Jg==
Content-Language: ru
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - direct.host-care.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - smyslov.net
X-Get-Message-Sender-Via: direct.host-care.com: authenticated_id: valery@smyslov.net
X-Authenticated-Sender: direct.host-care.com: valery@smyslov.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/tYR3gfkgWpPC-f0ksOoOZ-lbBYQ>
Subject: [secdir] Secdir last call review of draft-ietf-cellar-ebml-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2019 08:46:50 -0000

Reviewer: Valery Smyslov	
Review result: Ready

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The draft describes an Extensible Binary Meta Language (EBML)
format as a generalized file format for any type of data. As such
the EBML itself doesn't include any mechanisms providing
security services, besides marginal integrity check via crc32,
that is optional and limited in use. The EBML relies on external
mechanisms that would provide security services. 

The Security Considerations section describes various issues 
related to security that the EBML implementations should consider 
even in the presence of external cryptographic protection.
The list of issues seems to be quite exhaustive for the EBML.

Comment not related to security:
Section 2: BCP14 and RFC2119 are essentially the same document, 
I see no reason why they are referenced as different entities
in a single sentence.