Early Review of draft-ietf-lwig-curve-representations-08

Request Review of draft-ietf-lwig-curve-representations
Requested rev. no specific revision (document currently at 12)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2019-10-04
Requested 2019-09-20
Requested by Suresh Krishnan
Authors Rene Struik
Draft last updated 2019-11-26
Completed reviews Secdir Early review of -08 by Russ Housley (diff)
Iotdir Early review of -08 by Daniel Migault (diff)
Secdir Last Call review of -12 by Russ Housley
Genart Last Call review of -12 by Roni Even
I would greatly appreciate a SecDir review for this one as the subject matter is pretty security centric.
Assignment Reviewer Russ Housley
State Completed
Review review-ietf-lwig-curve-representations-08-secdir-early-housley-2019-11-26
Posted at https://mailarchive.ietf.org/arch/msg/secdir/RDNGIXI4SQNpgWw56E6mRBq9qtc
Reviewed rev. 08 (document currently at 12)
Review result Has Issues
Review completed: 2019-11-26


I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-lwig-curve-representations-08
Reviewer: Russ Housley
Review Date: 2019-11-26
IETF LC End Date: unknown
IESG Telechat date: unknown

Summary: Has Issues

Major Concerns:

I am confused by the first paragraph in Section 10.  It says that "An
object identifier is requested ...", but then code points for COSE
and JOSE (not object identifiers) are requested in the subsections.

I am confused by the second paragraph in Section 10.  It says that
"There is *currently* no further IANA action required ...".  Please
delete this paragraph.

Minor Concerns:

Requirements Language section is out of date.  It should reference
RFC 8174 in addition to RFC 2119, as follows: 

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Section 2 says: "... reuse of existing generic code ...";  I do not know
what is meant by "generic".  It either needs to be defined, reworded, or
dropped.  I note that elsewhere in the document "existing code" is used.

I expected Section 9 to say something about public keys being unique
identifiers of the private key holder.

Some introduction text at the beginning of each Appendix would be very
helpful.  Please tell the reader what they will learn by delving into
the subsections of the appendix.


Section 4.2 says: "... at the end of hereof ...".  This does not tell
me anything useful.  I suggest deleting this phrase.

I suggest turning the numbered paragraphs in Section 5 into subsections.