Closed gselander closed 1 year ago
Yes cbor.me now supports https
NSA seems to have removed all documentation on CNSA 1.0 now that CNSA 2.0 has been published. The reference in the CNSA RFCs like RFC 9212 is also not working. DoD has a working document.
https://media.defense.gov/2021/Sep/27/2002862527/-1/-1/0/CNSS%20WORKSHEET.PDF
If we think DoD will also remove the webpage we could refer to Wikipedia.
https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
I think we should change "CNSA" to "CNSA 1.0" in the body.
https://www.iacr.org/cryptodb/archive/2003/CRYPTO/1495/1495.pdf https://link.springer.com/chapter/10.1007/978-3-540-45146-4_24
If we want the long version we probably have to ask Hugo to make it available somewhere.
Please see if there is an archive.org link you could use (for all broken links).
Please see if there is an archive.org link
Did you mean arxiv.org? Unfortunately, SIGMA isn't there.
But it seems the short version of the paper covers all referrals in the draft so we can use the iacr URL for example.
No, I mean https://archive.org/
Like
You just need to check if those are the correct versions.
Ok, thanks. I did a workaround, but good to know we can fall back to this.
https://mailarchive.ietf.org/arch/msg/lake/BxQZLgOSX7_jZs3gZaTEzfXgqC8/
DISCUSS:
GEN AD review of draft-ietf-lake-edhoc-20
CC @larseggert
Thanks to Christer Holmberg for the General Area Review Team (Gen-ART) review (https://mailarchive.ietf.org/arch/msg/gen-art/tvJRHUSdUtXJpishMcOd0KwR4O0).
Discuss
Section 3.4, paragraph 6
No IETF transport protocol provides DDoS protection. If this is an actual requirement, how will it be provided?
Section 8, paragraph 3
How is interoperability guaranteed without at least a single mandatory-to-implement method?
Section 9.7, paragraph 1
While the Echo option prevents some resource exhaustion aspects of spoofing, it does not prevent DDoS by actual CoAP clients. Likewise, while limiting amplification reduces the impact of a DDoS attack by actual clients, it does not prevent it. It is hence incorrect to say that these attacks are mitigated by COAP. (They also wouldn't be mitigated by any other IETF transport protocol.)
"A.2.", paragraph 1
Per above, COAP does not protect against DDoS.
"A.2.", paragraph 6
Per above, this mitigates some aspects of spoofing, but does not protect against DDoS.
IANA
This document seems to have unresolved IANA issues. Holding a DISCUSS for IANA, so we can determine next steps during the telechat.
COMMENT:
Comments
Section 3.4, paragraph 5
But not congestion control?
Section 10.2, paragraph 17
Why still Expert Review if this already requires a Standards Action? (Same comment for other registry ranges with this policy.)
Inclusive language
Found terminology that should be reviewed for inclusivity; see https://www.rfc-editor.org/part2/#inclusive_language for background and more guidance:
master
; alternatives might beactive
,central
,initiator
,leader
,main
,orchestrator
,parent
,primary
,server
man
; alternatives might beindividual
,people
,person
dummy
; alternatives might beplaceholder
,sample
,stand-in
,substitute
native
; alternatives might bebuilt-in
,fundamental
,ingrained
,intrinsic
,original
Nits
All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions.
Outdated references
Document references
draft-selander-lake-authz-02
, but-03
is the latest available revision.Document references
draft-ietf-core-oscore-key-update-04
, but-05
is the latest available revision.Document references
draft-ietf-teep-architecture
, but that has been published asRFC9397
.Document references
draft-ietf-cose-cbor-encoded-cert-05
, but-06
is the latest available revision.Document references
draft-ietf-core-oscore-edhoc-07
, but-08
is the latest available revision.URLs
These URLs in the document did not return content:
These URLs in the document can probably be converted to HTTPS:
Grammar/style
Section 3.5.1, paragraph 2
A comma may be missing after the conjunctive/linking adverb "Similarly".
Section 4.1.1.3, paragraph 5
A comma may be missing after the conjunctive/linking adverb "However".
Section 4.1.2, paragraph 1
Consider replacing this phrase with the adverb "securely" to avoid wordiness.
Section 5.3.2, paragraph 17
Do not mix variants of the same word ("acknowledgement" and "acknowledgment") within a single text.
Section 6, paragraph 11
Consider using "so" or "therefore".
Section 6.3.1, paragraph 3
Do not mix variants of the same word ("acknowledgement" and "acknowledgment") within a single text.
Section 9.1, paragraph 6
A comma may be missing after the conjunctive/linking adverb "Hence".
Section 9.5, paragraph 1
The modal verb "can" requires the verb's base form.
Section 9.8, paragraph 1
The expression "so-called" is usually spelled with a hyphen.
Section 11.2, paragraph 11
Did you mean: "By default,"?
"A.1.", paragraph 4
The expression "so-called" is usually spelled with a hyphen.
"A.1.", paragraph 6
Use "an" instead of "a" if the following word starts with a vowel sound, e.g. "an article", "an hour".
"A.2.", paragraph 2
Consider using "several".
"A.2.", paragraph 7
Consider using the singular form after the singular determiner "This".
"A.2.1.", paragraph 8
Did you mean "to depend"?
"D.3.", paragraph 1
Possible typo: you repeated a word.
"Appendix E.", paragraph 7
Do not mix variants of the same word ("acknowledgement" and "acknowledgment") within a single text.