Last Call Review of draft-ietf-asdf-sdf-18
review-ietf-asdf-sdf-18-secdir-lc-nystrom-2024-05-27-00

I reviewed this document as part of the Security Directorate's ongoing effort
to review all IETF documents being processed by the IESG.  These comments were
written primarily for the benefit of the Security Area Directors.  Document
authors, document editors, and WG chairs should treat these comments just like
any other IETF Last Call comments.

This document specifies a format for use in the "creation and maintenance of
data and interaction models that describe [physical things possible to connect
to]. The Security Considerations section is well written, I have only a couple
of questions:

- The Security Considerations section mentions the possible need for
confidentiality of an SDF model ("There may be confidentiality requirements on
SDF models, both on their content and on the fact that a specific model is used
in a particular Thing or environment"). Couldn't there also be a need for
integrity/authenticity of a given SDF model? The document is silent on this. -
Related to the previous point, was it ever discussed to allow for an integrity
or authenticity value accompanying or being part of an SDFThing instance?