Last Call Review of draft-ietf-cbor-7049bis-14
review-ietf-cbor-7049bis-14-secdir-lc-sheffer-2020-08-10-00

Request Review of draft-ietf-cbor-7049bis
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-08-14
Requested 2020-07-24
Authors Carsten Bormann, Paul Hoffman
Draft last updated 2020-08-10
Completed reviews Genart Last Call review of -14 by Tim Evens (diff)
Secdir Last Call review of -14 by Yaron Sheffer (diff)
Iotdir Telechat review of -14 by Eve Schooler (diff)
Assignment Reviewer Yaron Sheffer 
State Completed
Review review-ietf-cbor-7049bis-14-secdir-lc-sheffer-2020-08-10
Posted at https://mailarchive.ietf.org/arch/msg/secdir/gGX-FMhIabo5TQjkl6ptenW3nzk
Reviewed rev. 14 (document currently at 16)
Review result Has Nits
Review completed: 2020-08-10

Review
review-ietf-cbor-7049bis-14-secdir-lc-sheffer-2020-08-10

This is an editorial, fully compatible update of RFC 7049 (the CBOR encoding).

The Security Considerations have been significantly expanded, and they make sense to me. However, while the prose is all sensible, it doesn't seem like the best practical guidance for implementers. I would have appreciated a bullet list of potential implementation pitfalls, as well as a bullet list of decoder validation capabilities, such as are alluded to by the last sentence of the section. Upon a quick read, it is not even clear to me which parts of Sec. 5 are required/expected in a validating-mode decoder.