Daniel Franke via Datatracker <[email protected]> wrote: > I'm marking this as "Not Ready" principally because the whole Security > Considerations section is "TBD".
Yes. We were hoping to get early reviews from people who had previously
reviewed RFC8995.
Filling in the Security Considerations without repeating RFC8995's lengthy
section will be a challenge.
> Having no prior familiarity with the ANIMA WG or its output, I found the
> introductory section of this draft rather bewildering. The document I
wanted to
> read for background, RFC 8366, is cited a few sentences in, but the
context
> didn't make it clear that this was where I wanted to look. Please provide
a
> paragraph or so worth of background about the ecosystem that this draft
lives
> in before launching into protocol-specific jargon like "voucher" and
> "pledge".
fair enough!
opened issue: https://github.com/anima-wg/constrained-voucher/issues/124
> You mention trying to conserve both network bandwidth and code size. I
see how
> you're saving a bit of bandwidth by shortening URLs, using CBOR instead of
> JSON, and in some cases avoiding retransmission of public keys. But I'm
not
> following where the code size wins come from. The procedure described in
> section 5.3.1 doesn't seem to save anything significant, since you still
need a
> whole RFC 5280 implementation for the fallback path.
https://github.com/anima-wg/constrained-voucher/issues/125
The short of it is that on many IoT devices, we already have CBOR, COSE code
present, because they are using ACE, OSCORE, etc. we'll make this more
explicit thank you.
> You've given "ECDSA" as a mandatory-to-implement algorithm, but haven't
> specified what particular curves must be supported. Without this, you
haven't
> gotten any closer to assuring interoperability.
Noted:
https://github.com/anima-wg/constrained-voucher/issues/126
> Appendix A looks like a funny thing to find in an RFC. Are you planning
to have
> the RFC Editor remove this prior to publication, like you'd do for an
> "Implementation Status" section? If so, you should include an explicit
> instruction to that effect.
The examples are intended to provide meaningful input for unit tests.
This is quite common for anything involve cryptographic operations.
We don't intend to remove it. Our experiences is that people outside of the
IETF find protocols without examples to be challenging to implement.
Should we merge Appendix A and B?
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
