Last Call Review of draft-ietf-cellar-ebml-09
review-ietf-cellar-ebml-09-secdir-lc-smyslov-2019-02-11-00
Request | Review of | draft-ietf-cellar-ebml |
---|---|---|
Requested revision | No specific revision (document currently at 17) | |
Type | IETF Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2019-02-28 | |
Requested | 2019-01-29 | |
Requested by | Michael Richardson | |
Authors | Steve Lhomme, Dave Rice , Moritz Bunkus | |
I-D last updated | 2023-07-10 (Latest revision 2020-01-27) | |
Completed reviews |
Secdir IETF Last Call review of -09
by Valery Smyslov
(diff)
Genart IETF Last Call review of -09 by Robert Sparks (diff) Genart IETF Last Call review of -13 by Robert Sparks (diff) Secdir IETF Last Call review of -13 by Valery Smyslov (diff) Opsdir IETF Last Call review of -13 by Shwetha Bhandari (diff) Genart Telechat review of -14 by Robert Sparks (diff) |
|
Assignment | Reviewer | Valery Smyslov |
State | Completed | |
Request | IETF Last Call review on draft-ietf-cellar-ebml by Security Area Directorate Assigned | |
Reviewed revision | 09 (document currently at 17) | |
Result | Ready | |
Completed | 2019-02-11 |
review-ietf-cellar-ebml-09-secdir-lc-smyslov-2019-02-11-00
Reviewer: Valery Smyslov Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The draft describes an Extensible Binary Meta Language (EBML) format as a generalized file format for any type of data. As such the EBML itself doesn't include any mechanisms providing security services, besides marginal integrity check via crc32, that is optional and limited in use. The EBML relies on external mechanisms that would provide security services. The Security Considerations section describes various issues related to security that the EBML implementations should consider even in the presence of external cryptographic protection. The list of issues seems to be quite exhaustive for the EBML. Comment not related to security: Section 2: BCP14 and RFC2119 are essentially the same document, I see no reason why they are referenced as different entities in a single sentence.