Last Call Review of draft-ietf-cbor-cddl-05
review-ietf-cbor-cddl-05-secdir-lc-lonvick-2018-10-04-00

Request Review of draft-ietf-cbor-cddl
Requested rev. no specific revision
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-10-04
Requested 2018-09-20
Other Reviews Genart Last Call review of -05 by Ines Robles
Review State Completed
Reviewer Chris Lonvick
Review review-ietf-cbor-cddl-05-secdir-lc-lonvick-2018-10-04
Posted at https://mailarchive.ietf.org/arch/msg/secdir/_3iSpOJW6em-kDQ8d4VCm6FwB_A
Reviewed rev. 05
Review result Has Nits
Draft last updated 2018-10-04
Review completed: 2018-10-04

Review
review-ietf-cbor-cddl-05-secdir-lc-lonvick-2018-10-04

Hello,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

The summary of the review is READY with nits.

I skimmed through the draft and agree with the author's statement in the 
first paragraph of the Security Considerations section:

    This document presents a content rules language for expressing CBOR
    data structures.  As such, it does not bring any security issues on
    itself, although specification of protocols that use CBOR naturally
    need security analysis when defined.

(As a very minor nit, I'd suggest using "analyses" rather than "analysis".)

Nit 1: The authors have made a good effort at identifying some of the 
topics that may be considered in a security considerations section of 
specifications that use protocols using CDDL to define CBOR structures. 
However, I would recommend that those bullet points be used to 
supplement a normative reference to RFC 3552 "Security Considerations 
Guidelines".

Perhaps adding the following between the first and second paragraphs:
    Guidelines for writing security considerations are defined in 
Security Considerations Guidelines [RFC 3552]
    (BCP 72).  Implementers using CDDL to define CBOR structures in 
protocols must follow those guidelines.

Then change the start of the second paragraph from "Topics that may 
be..." to "Additional topics that may be..."

Nit 2: I am not very familiar with all of this, but it seems to me that 
RFC 8152, "CBOR Object Signing and Encryption (COSE)" should be a 
normative reference rather than an informative reference, and some 
mention should be made of it in the Security Considerations section. 
Reference is made in RFC 8152 to CDDL (4th paragraph in Section 1.3):

    As well as the prose description, a version of a CBOR grammar is
    presented in CDDL.  Since CDDL has not been published in an RFC, this
    grammar may not work with the final version of CDDL.  The CDDL
    grammar is informational; the prose description is normative.

I may be off base here, but it just seems that since 8152 has been 
published as a Standards Track document, then this draft should 
normatively reference it and any subsequent updates to 8152 should 
normatively reference the Standards Track RFC issuing from this draft.

Best regards,
Chris