Last Call Review of draft-ietf-cbor-cddl-05
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.
The summary of the review is READY with nits.
I skimmed through the draft and agree with the author's statement in the
first paragraph of the Security Considerations section:
This document presents a content rules language for expressing CBOR
data structures. As such, it does not bring any security issues on
itself, although specification of protocols that use CBOR naturally
need security analysis when defined.
(As a very minor nit, I'd suggest using "analyses" rather than "analysis".)
Nit 1: The authors have made a good effort at identifying some of the
topics that may be considered in a security considerations section of
specifications that use protocols using CDDL to define CBOR structures.
However, I would recommend that those bullet points be used to
supplement a normative reference to RFC 3552 "Security Considerations
Perhaps adding the following between the first and second paragraphs:
Guidelines for writing security considerations are defined in
Security Considerations Guidelines [RFC 3552]
(BCP 72). Implementers using CDDL to define CBOR structures in
protocols must follow those guidelines.
Then change the start of the second paragraph from "Topics that may
be..." to "Additional topics that may be..."
Nit 2: I am not very familiar with all of this, but it seems to me that
RFC 8152, "CBOR Object Signing and Encryption (COSE)" should be a
normative reference rather than an informative reference, and some
mention should be made of it in the Security Considerations section.
Reference is made in RFC 8152 to CDDL (4th paragraph in Section 1.3):
As well as the prose description, a version of a CBOR grammar is
presented in CDDL. Since CDDL has not been published in an RFC, this
grammar may not work with the final version of CDDL. The CDDL
grammar is informational; the prose description is normative.
I may be off base here, but it just seems that since 8152 has been
published as a Standards Track document, then this draft should
normatively reference it and any subsequent updates to 8152 should
normatively reference the Standards Track RFC issuing from this draft.