Last Call Review of draft-ietf-ace-cmpv2-coap-transport-05
review-ietf-ace-cmpv2-coap-transport-05-secdir-lc-smyslov-2022-10-18-00

Request Review of draft-ietf-ace-cmpv2-coap-transport
Requested revision No specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2022-10-27
Requested 2022-10-13
Authors Mohit Sahni , Saurabh Tripathi
I-D last updated 2022-10-18
Completed reviews Genart Last Call review of -05 by Meral Shirazipour (diff)
Secdir Last Call review of -05 by Valery Smyslov (diff)
Secdir Last Call review of -08 by Valery Smyslov (diff)
Assignment Reviewer Valery Smyslov
State Completed
Request Last Call review on draft-ietf-ace-cmpv2-coap-transport by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/3ZI5lUN8P68JnjHTRB8iJQ648xY
Reviewed revision 05 (document currently at 10)
Result Has nits
Completed 2022-10-18
review-ietf-ace-cmpv2-coap-transport-05-secdir-lc-smyslov-2022-10-18-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
Document editors and WG chairs should treat these comments just like any other
last call comments.

This document defines the use of Constrained Application Protocol
(CoAP) as a transport for the Certificate Management Protocol (CMP).

Nits:
1. I believe that the security considerations from RFC 6712 should be either
echoed in this document (where applicable), or at least be referenced.

2. I think that Section 3 (Using CoAP over DTLS) should be moved to the
Security Considerations section, or be referenced from there.

3. Section 5. I think that the sentence

   The CoAP is vulnerable due to the connectionless characteristics of UDP
   itself.

should either be expanded of what particular vulnerabilities are meant (because
not all CoAP vulnerabilities are concerned with using UDP) or deleted.