Last Call Review of draft-bormann-cbor-04
review-bormann-cbor-04-secdir-lc-lepinski-2013-08-16-00

Request Review of draft-bormann-cbor
Requested revision No specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-08-13
Requested 2013-07-18
Authors Carsten Bormann , Paul E. Hoffman
I-D last updated 2013-08-16
Completed reviews Genart Last Call review of -04 by Martin Thomson (diff)
Genart Telechat review of -04 by Martin Thomson (diff)
Secdir Last Call review of -04 by Matt Lepinski (diff)
Assignment Reviewer Matt Lepinski
State Completed
Request Last Call review on draft-bormann-cbor by Security Area Directorate Assigned
Reviewed revision 04 (document currently at 09)
Result Has nits
Completed 2013-08-16
review-bormann-cbor-04-secdir-lc-lepinski-2013-08-16-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document appears ready for publication.

This document specifies the CBOR (Compact Binary Object Representation) binary
encoding format. The document is generally clearly written, and in particular,
is to be commended for providing a clear explanation of why one would want to
specify yet another binary encoding for arbitrary objects.

One minor note:

In the security considerations section, the authors explain potential
vulnerabilities in network protocols due to parser errors. (This is good
cautionary guidance to provide implementers.) However, at the very end of the
section, they suggest that an encoder/decoder used in a security context should
provide at least one "strict" mode of operation. I would suggest adding another
sentence or two explaining what the phrase "strict mode of operation" means in
this context.