Last Call Review of draft-ietf-ace-extend-dtls-authorize-05
review-ietf-ace-extend-dtls-authorize-05-secdir-lc-reddyk-2023-01-19-00

Reviewer: Tirumaleswar Reddy
Review result: Ready with Nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document updates the CoAP-DTLS profile for ACE by specifying
that the profile applies to TLS as well as DTLS.

Comments below:

1) In case the ace_profile parameter indicates the
use of the DTLS profile for ACE as defined in [RFC9202],
the Client MAY try to connect to the Resource Server via TLS, or try TLS
and DTLS in parallel
to accelerate the connection setup. It is up to the implementation to
handle the case where the RS reponds to both connection requests.

Comment> DTLS should be given higher precedence than TLS as CoAP over UDP
is the first choice of implementation.

2) As resource-constrained devices are not expected to
support both transport layer security mechanisms, a Client
that implements either TLS or DTLS but not both might fail in establishing
a secure communication channel with the Resource Server altogether.

Comment> If the IoT device cannot support both TLS and DTLS , is it
mandatory for the device to support TLS ?
Otherwise, if a device supports DTLS only and a firewall blocks the
communication channel over UDP with the RS, it will fail to function.

Cheers,
-Tiru