|
Hello Paul,
Thanks a lot for your review! Please find in line below our detailed replies to your comments.
A Github PR where we have addressed your comments is available at [PR].
Unless any concern is raised, we plan to soon merge this PR (and the other ones related to other received reviews) and to submit the result as version -27 of the document.
Thanks,
/Marco
Marco Tiloca
Ph.D., Senior Researcher
Phone: +46 (0)70 60 46 501
RISE Research Institutes of Sweden AB
Box 1263
164 29 Kista (Sweden)
Division: Digital Systems
Department: Computer Science
Unit: Cybersecurity
https://www.ri.se
From: Paul Kyzivat <pkyzivat@xxxxxxxxxxxx>
Sent: Wednesday, July 23, 2025 8:44 PM To: draft-ietf-core-oscore-groupcomm.all@xxxxxxxx <draft-ietf-core-oscore-groupcomm.all@xxxxxxxx>; core@xxxxxxxx <core@xxxxxxxx> Cc: General Area Review Team <gen-art@xxxxxxxx>; last-call@xxxxxxxx <last-call@xxxxxxxx> Subject: Gen-ART Last Call review of draft-ietf-core-oscore-groupcomm-26 I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <https://eur05.safelinks.protection.outlook.com/?url="">>. Document: draft-ietf-core-oscore-groupcomm-26 Reviewer: Paul Kyzivat Review Date: 2025-07-23 IETF LC End Date: 2025-07-29 IESG Telechat date: ? Summary: This draft is on the right track but has open issues, described in the review. Comment: This document notes "Readers are expected to be familiar with" (a daunting list of things). This was very challenging for a reviewer, who is not. But I did read the whole document. I am incompetent to raise issues about the essence of this document. Rather, I have focused on more superficial aspects. ISSUES: 4 NITS: 4 1) ISSUE Section 2.6.2 says: "If an implementation's integers support wrapping addition, the implementation MUST treat the Sender Sequence Number space as exhausted when a wrap-around is detected." I think I understand the issue, but question how it is stated. Just because the implementation does wrapping addition on integers shorter than 40 bits, that doesn't mean the implementation isn't capable to doing proper 40 bit arithmetic. There must be a better way to say this. Perhaps: "An implementation must treat the Sender Sequence Number space as exhausted when the Sender Sequence Number approaches the maximum value it can properly increment." Also, if an implementation has difficulty handling 40 bit integers, won't that also be a problem if it *receives* big sequence numbers? ==>MT
Thanks for raising this detail. We have rephrased as below.
OLD
> If an implementation's integers support wrapping addition, the implementation MUST treat the Sender Sequence Number space as exhausted when a wrap-around is detected.
NEW (emphasis mine)
> If an implementation's integers support wrapping addition, the implementation MUST treat the Sender Sequence Number space as exhausted when a wrap-around is detected **upon incrementing the value that has been used as Partial IV**.
On the point raised in the last sentence of the comment, that's not supposed to be a problem. In the OSCORE option value, the Partial IV can be up to 40 bits, hence a compliant recipient must be able to handle that if it happens.
That's simpler than the case discussed above, since it does not involve arithmetic operations or other manipulation of the Partial IV value. It's just about taking and using the Partial IV value as-is, in order to, e.g., perform replay checks against a replay
window (see Section 5.3), build an AEAD nonce (see Section 5.2 of RFC 8613), or build the external_aad for processing a message (see Section 3.4).
<==
2) ISSUE Section 6 says: "An endpoint MUST be able to distinguish between a Security Context to process OSCORE messages ... and a Group OSCORE Security Context ... To this end, an endpoint can take into account ... Alternatively, implementations can ..." Why offer alternatives? Why not specify a single unambiguous method? If there is reason, it would be good to discuss the pros and cons. ==>MT
We have updated the second paragraph of Section 6 "Message Reception" as below.
OLD
> To this end, an endpoint can take into account the different structure of the Security Context defined in Section 2, for example based on the presence of Signature Algorithm and Pairwise Key Agreement Algorithm in the Common Context. Alternatively, implementations
can use an additional parameter in the Security Context, to explicitly mark that it is intended for processing Group OSCORE messages.
NEW (emphasis mine)
**The way to accomplish this distinction is implementation specific. For example**, an endpoint can take into account the different structure of the Security Context defined in Section 2, **e.g.,** based on the presence of Signature Algorithm and Pairwise Key
Agreement Algorithm in the Common Context. **Alternatively, at the cost of increasing storage**, implementations can use an additional parameter in the Security Context, to explicitly mark that it is intended for processing Group OSCORE messages.
<==
3) MINOR ISSUE Section 2.4 says "The authentication credential of the Group Manager SHOULD be encoded according to that same format." There is no discussion of what conditions would justify violating the SHOULD. Without this, many implementers treat SHOULD as MAY. My general rule is that every SHOULD must specify that alternative. ==>MT
We have clarified by extending the second paragraph of Section 2.4 "Authentication Credentials" as below.
OLD
> The authentication credential of the Group Manager SHOULD be encoded according to that same format.
NEW
> The authentication credential of the Group Manager SHOULD be encoded according to that same format, in order to limit the number of formats that the group members have to support and
handle, unless it is infeasible or impractical for the particular realization or instance of the Group Manager to have an own authentication credential encoded in that same format.
<==
4) MINOR ISSUE Section 7.5 specifies External Signature Checkers. But I couldn't find any explanation of their purpose. I leave it to the authors to decide if there ought to be such an explanation. ==>MT
We have expanded the first paragraph in Section 7.5 "External Signature Checkers" as below.
OLD
> When a message is protected in group mode, it is possible for designated external signature checkers, e.g., intermediary gateways, to verify the countersignature of the message.
NEW
> When a message is protected in group mode, it is possible for designated external signature checkers to verify the countersignature of the message. For example, an external signature checker can be an intermediary gateway that intercepts messages protected
in group mode and ensures that they reach the intended recipients only if it successfully verifies their countersignatures.
<==
5) NIT The Abstract uses "CoAP" acronym without expansion. (Its defined in the Intro.) I think this isn't allowed in abstracts, which often stand alone. Please expand it in the abstract. ==>MT
We have expanded the first sentence of the abstract as below.
OLD
This document defines the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE), providing end-to-end security of CoAP messages exchanged between members of a group, e.g., sent over IP multicast.
NEW (emphasis mine)
This document defines the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE), providing end-to-end security of **messages exchanged with the Constrained Application Protocol (CoAP) between members of a group, e.g., sent
over IP multicast.**
<==
6) NIT: Typo Section 3.3 says: "A. and then XOR with X bytes from the Common IV's start, where X is the length in bytes of the nonce." I think the above has a typo that can be fixed by s/A/4/ ==>MT
We have changed "A." to "4." as suggested.
<==
7) NIT There is a minor grammatical mistake in section 4: s/was intended for./was intended./ ==>MT
We have rephrased as below:
> In such a case, the client assumes the response ‘kid’ to be the Recipient ID for the server for which the request protected in pairwise mode was intended.
<==
8) NIT The IdNits tool reports a number of issues. Many are spurious, but there are several downrefs that should be evaluated. ==>MT
The included references are as intended and deemed appropriate. Their understanding and use are required by the present document in a normative way.
Specifically as to RFC 5869, RFC 6979, RFC 7748, RFC 8032, and RFC 9053, they are all listed in
https://datatracker.ietf.org/doc/downref/
<==
|
-- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
