Orie Steele has entered the following ballot position for draft-ietf-ace-wg-coap-eap-11: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- # Orie Steele, ART AD, comments for draft-ietf-ace-wg-coap-eap-11 CC @OR13 * line numbers: - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ace-wg-coap-eap-11.txt&submitcheck=True * comment syntax: - https://github.com/mnot/ietf-comments/blob/main/format.md * "Handling Ballot Positions": - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/ ## Discuss Thanks Loganaden Velvindron for the shepherd writeup, I note his comments on media type issues, which I echo in my review. I also note IANA review state is "Review Needed". ### well known uri It does not appear that mnot's comments here were addressed: https://mailarchive.ietf.org/arch/msg/ace/HHSVWFPuPknnlZhojilF0AyD9To/ I agree with his comments. See: https://datatracker.ietf.org/doc/html/rfc8615#section-3 I suggest adding a comment to the effect of... "/.well-known/coap-eap" (or /.well-known/coap/eap) is used with "coap" / "coap+ws" or other entries which are already present here: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml It seemed like the authors intended to address these comments: https://mailarchive.ietf.org/arch/msg/ace/rFm-eTKhaVoD8VWqQKTyeM61SxA/ Please confirm the current registration requests are as intended (apologies if I failed to trace the mailing list discussion properly) ### media type I do not see a request for review for this media type registration here: https://mailarchive.ietf.org/arch/browse/media-types/?q=coap-eap Please seek a review per the guidance here: https://wiki.ietf.org/group/art/TypicalARTAreaIssues#media-types In particular this part: > Submit your actual registration (not a pointer to it) for review on the ietf-ty...@iana.org discussion list. Do this before you're ready to request publication of your draft. I will change this part of my discuss to no objections in a week or so... assuming no concerns are raised. Please make sure to copy-paste the full sections 9.5 (not just a pointer to them) in your mail to media-types. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ## Comments ### media types ``` 1112 IANA has added the media types "application/coap-eap" to the "Media 1113 Types" registry. The registration procedure is "Expert Review". 1114 Section 4 defines the format. ``` Thanks for the pointer to section 4, and the explanation in figure 7. ``` 1153 * Change Controller: IESG ``` Change controller should be IETF. ``` 1144 * Person and email address to contact for further information: See 1145 "Authors' Addresses" section. ``` Consider using a working group mailing list here instead (see recent registration requests on the media type list for details) ### use of null string in Master Secret ``` 746 * CS is the concatenation of the content of the cipher suite 747 negotiation, that is, the list of cipher suites sent by the EAP 748 authenticator (Step 1) to the selected option by the EAP peer 749 (Step 2). If any of the messages did not contain the CBOR array 750 (default algorithms), the null string is used. ``` I don't understand this part. Under which cases would the use of the null string be expected here? ### Redundant normative requirement? ``` 180 is an EAP state machine that can run any EAP method. For this 181 specification, the EAP method MUST be able to derive keying material. ``` ``` 219 An EAP method that does not export keying material MUST NOT be used. ``` deriving keying material vs exporting keyint material? ### When SHOULD state be kept forever? Also how long is "some time"? ``` 508 If, for any reason, one of the entities becomes non-responding, the 509 CoAP-EAP state SHOULD be kept only for some time before it is 510 removed. The removal of the CoAP-EAP state in the EAP authenticator ``` ### Array -> Algorithms ``` 987 is "Expert Review". The columns of the registry are Value, Array, ``` "Array" is a less than excellent column name... in this case, the column should be called "Algoritms"... right? ### When should tstr be used for ciphersuite? ``` 620 ? 1 : [+ int/tstr], ; cipher suite ``` I assume the values here should come from the CoAP-EAP Cipher Suites registry, where 0 is the default. I don't see any guidance on how or when a tstr "CoAP-EAP Cipher Suite" should be used... so I wonder how it will be interpretted by implementations. ### CDDL in CoAP-EAP Informational Elements ``` 1052 * Value: 1 1054 * Name: cipher suite 1056 * Description: List of the proposed or selected COSE algorithms for 1057 OSCORE ``` Should there be CBOR type information for each entry in this registry? Consider the "CBOR Type" column here: https://www.iana.org/assignments/cose/cose.xhtml#key-type-parameters ...and note that "array (of array of uint)" is not CDDL, you can perhaps provide the DEs with guidance to protect against such issues in the future. ### Content Encoding Per https://www.rfc-editor.org/errata_search.php?eid=4954 ``` 1163 +-----------------------+----------+------+-------------------+ 1164 | Media Type | Encoding | ID | Reference | 1165 +-----------------------+----------+------+-------------------+ 1166 | application/coap-eap | - | TBD | [[this document]] | 1167 +-----------------------+----------+------+-------------------+ ``` Encoding -> Content Encoding? (This is probably already clear to IANA) ## Nits ### expand on first use ``` 129 EAP methods transported in CoAP MUST generate cryptographic material 130 [RFC5247] in an MSK for this specification. The MSK is used as the ``` ### awkward sentence missing of / are-> is ? ``` 146 as the EAP authenticator. In these cases, EAP methods that do not 147 require many exchanges, have short messages and use cryptographic 148 algorithms that are manageable by constrained devices are preferable. 149 The benefits of the EAP framework in IoT are highlighted in 150 [EAP-framework-IoT]. ``` ### extra of ``` 160 Readers are expected to be familiar with the terms and concepts of 161 described in CoAP [RFC7252], EAP [RFC3748] [RFC5247] and OSCORE 162 [RFC8613] ``` _______________________________________________ Ace mailing list -- ace@ietf.org To unsubscribe send an email to ace-le...@ietf.org
