Last Call Review of draft-ietf-cbor-cddl-05

Request Review of draft-ietf-cbor-cddl
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-10-04
Requested 2018-09-20
Authors Henk Birkholz, Christoph Vigano, Carsten Bormann
Draft last updated 2018-10-04
Completed reviews Genart Last Call review of -05 by Ines Robles (diff)
Secdir Last Call review of -05 by Chris Lonvick (diff)
Assignment Reviewer Chris Lonvick 
State Completed
Review review-ietf-cbor-cddl-05-secdir-lc-lonvick-2018-10-04
Reviewed rev. 05 (document currently at 08)
Review result Has Nits
Review completed: 2018-10-04



I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

The summary of the review is READY with nits.

I skimmed through the draft and agree with the author's statement in the 
first paragraph of the Security Considerations section:

    This document presents a content rules language for expressing CBOR
    data structures.  As such, it does not bring any security issues on
    itself, although specification of protocols that use CBOR naturally
    need security analysis when defined.

(As a very minor nit, I'd suggest using "analyses" rather than "analysis".)

Nit 1: The authors have made a good effort at identifying some of the 
topics that may be considered in a security considerations section of 
specifications that use protocols using CDDL to define CBOR structures. 
However, I would recommend that those bullet points be used to 
supplement a normative reference to RFC 3552 "Security Considerations 

Perhaps adding the following between the first and second paragraphs:
    Guidelines for writing security considerations are defined in 
Security Considerations Guidelines [RFC 3552]
    (BCP 72).  Implementers using CDDL to define CBOR structures in 
protocols must follow those guidelines.

Then change the start of the second paragraph from "Topics that may 
be..." to "Additional topics that may be..."

Nit 2: I am not very familiar with all of this, but it seems to me that 
RFC 8152, "CBOR Object Signing and Encryption (COSE)" should be a 
normative reference rather than an informative reference, and some 
mention should be made of it in the Security Considerations section. 
Reference is made in RFC 8152 to CDDL (4th paragraph in Section 1.3):

    As well as the prose description, a version of a CBOR grammar is
    presented in CDDL.  Since CDDL has not been published in an RFC, this
    grammar may not work with the final version of CDDL.  The CDDL
    grammar is informational; the prose description is normative.

I may be off base here, but it just seems that since 8152 has been 
published as a Standards Track document, then this draft should 
normatively reference it and any subsequent updates to 8152 should 
normatively reference the Standards Track RFC issuing from this draft.

Best regards,