Hello Paul, Thanks a lot for your review! Please find in line below our detailed replies to your comments.
A Github PR where we have addressed your comments is available at [PR]. Unless any concern is raised, we plan to soon merge this PR (and the other ones related to other received reviews) and to submit the result as version -27 of the document. Thanks, /Marco [PR] https://github.com/core-wg/oscore-groupcomm/pull/116 Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se ________________________________ From: Paul Kyzivat <[email protected]> Sent: Wednesday, July 23, 2025 8:44 PM To: [email protected] <[email protected]>; [email protected] <[email protected]> Cc: General Area Review Team <[email protected]>; [email protected] <[email protected]> Subject: Gen-ART Last Call review of draft-ietf-core-oscore-groupcomm-26 I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrac.ietf.org%2Ftrac%2Fgen%2Fwiki%2FGenArtfaq&data=05%7C02%7Cmarco.tiloca%40ri.se%7C3dd8e3badbef4cc80d1208ddca18f3df%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638888930715525949%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ep1ILkMDmoBAcnJg6v9qRG4ZhMCbIk0MdNr16Zy4cj4%3D&reserved=0<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>>. Document: draft-ietf-core-oscore-groupcomm-26 Reviewer: Paul Kyzivat Review Date: 2025-07-23 IETF LC End Date: 2025-07-29 IESG Telechat date: ? Summary: This draft is on the right track but has open issues, described in the review. Comment: This document notes "Readers are expected to be familiar with" (a daunting list of things). This was very challenging for a reviewer, who is not. But I did read the whole document. I am incompetent to raise issues about the essence of this document. Rather, I have focused on more superficial aspects. ISSUES: 4 NITS: 4 1) ISSUE Section 2.6.2 says: "If an implementation's integers support wrapping addition, the implementation MUST treat the Sender Sequence Number space as exhausted when a wrap-around is detected." I think I understand the issue, but question how it is stated. Just because the implementation does wrapping addition on integers shorter than 40 bits, that doesn't mean the implementation isn't capable to doing proper 40 bit arithmetic. There must be a better way to say this. Perhaps: "An implementation must treat the Sender Sequence Number space as exhausted when the Sender Sequence Number approaches the maximum value it can properly increment." Also, if an implementation has difficulty handling 40 bit integers, won't that also be a problem if it *receives* big sequence numbers? ==>MT Thanks for raising this detail. We have rephrased as below. OLD > If an implementation's integers support wrapping addition, the implementation > MUST treat the Sender Sequence Number space as exhausted when a wrap-around > is detected. NEW (emphasis mine) > If an implementation's integers support wrapping addition, the implementation > MUST treat the Sender Sequence Number space as exhausted when a wrap-around > is detected **upon incrementing the value that has been used as Partial IV**. On the point raised in the last sentence of the comment, that's not supposed to be a problem. In the OSCORE option value, the Partial IV can be up to 40 bits, hence a compliant recipient must be able to handle that if it happens. That's simpler than the case discussed above, since it does not involve arithmetic operations or other manipulation of the Partial IV value. It's just about taking and using the Partial IV value as-is, in order to, e.g., perform replay checks against a replay window (see Section 5.3), build an AEAD nonce (see Section 5.2 of RFC 8613), or build the external_aad for processing a message (see Section 3.4). <== 2) ISSUE Section 6 says: "An endpoint MUST be able to distinguish between a Security Context to process OSCORE messages ... and a Group OSCORE Security Context ... To this end, an endpoint can take into account ... Alternatively, implementations can ..." Why offer alternatives? Why not specify a single unambiguous method? If there is reason, it would be good to discuss the pros and cons. ==>MT We have updated the second paragraph of Section 6 "Message Reception" as below. OLD > To this end, an endpoint can take into account the different structure of the > Security Context defined in Section 2, for example based on the presence of > Signature Algorithm and Pairwise Key Agreement Algorithm in the Common > Context. Alternatively, implementations can use an additional parameter in > the Security Context, to explicitly mark that it is intended for processing > Group OSCORE messages. NEW (emphasis mine) **The way to accomplish this distinction is implementation specific. For example**, an endpoint can take into account the different structure of the Security Context defined in Section 2, **e.g.,** based on the presence of Signature Algorithm and Pairwise Key Agreement Algorithm in the Common Context. **Alternatively, at the cost of increasing storage**, implementations can use an additional parameter in the Security Context, to explicitly mark that it is intended for processing Group OSCORE messages. <== 3) MINOR ISSUE Section 2.4 says "The authentication credential of the Group Manager SHOULD be encoded according to that same format." There is no discussion of what conditions would justify violating the SHOULD. Without this, many implementers treat SHOULD as MAY. My general rule is that every SHOULD must specify that alternative. ==>MT We have clarified by extending the second paragraph of Section 2.4 "Authentication Credentials" as below. OLD > The authentication credential of the Group Manager SHOULD be encoded > according to that same format. NEW > The authentication credential of the Group Manager SHOULD be encoded > according to that same format, in order to limit the number of formats that > the group members have to support and handle, unless it is infeasible or > impractical for the particular realization or instance of the Group Manager > to have an own authentication credential encoded in that same format. <== 4) MINOR ISSUE Section 7.5 specifies External Signature Checkers. But I couldn't find any explanation of their purpose. I leave it to the authors to decide if there ought to be such an explanation. ==>MT We have expanded the first paragraph in Section 7.5 "External Signature Checkers" as below. OLD > When a message is protected in group mode, it is possible for designated > external signature checkers, e.g., intermediary gateways, to verify the > countersignature of the message. NEW > When a message is protected in group mode, it is possible for designated > external signature checkers to verify the countersignature of the message. > For example, an external signature checker can be an intermediary gateway > that intercepts messages protected in group mode and ensures that they reach > the intended recipients only if it successfully verifies their > countersignatures. <== 5) NIT The Abstract uses "CoAP" acronym without expansion. (Its defined in the Intro.) I think this isn't allowed in abstracts, which often stand alone. Please expand it in the abstract. ==>MT We have expanded the first sentence of the abstract as below. OLD This document defines the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE), providing end-to-end security of CoAP messages exchanged between members of a group, e.g., sent over IP multicast. NEW (emphasis mine) This document defines the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE), providing end-to-end security of **messages exchanged with the Constrained Application Protocol (CoAP) between members of a group, e.g., sent over IP multicast.** <== 6) NIT: Typo Section 3.3 says: "A. and then XOR with X bytes from the Common IV's start, where X is the length in bytes of the nonce." I think the above has a typo that can be fixed by s/A/4/ ==>MT We have changed "A." to "4." as suggested. <== 7) NIT There is a minor grammatical mistake in section 4: s/was intended for./was intended./ ==>MT We have rephrased as below: > In such a case, the client assumes the response ‘kid’ to be the Recipient ID > for the server for which the request protected in pairwise mode was intended. <== 8) NIT The IdNits tool reports a number of issues. Many are spurious, but there are several downrefs that should be evaluated. ==>MT The included references are as intended and deemed appropriate. Their understanding and use are required by the present document in a normative way. Specifically as to RFC 5869, RFC 6979, RFC 7748, RFC 8032, and RFC 9053, they are all listed in https://datatracker.ietf.org/doc/downref/ <==
_______________________________________________ Gen-art mailing list -- [email protected] To unsubscribe send an email to [email protected]
