Last Call Review of draft-ietf-cellar-ebml-09
review-ietf-cellar-ebml-09-secdir-lc-smyslov-2019-02-11-00

Request Review of draft-ietf-cellar-ebml
Requested rev. no specific revision (document currently at 14)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2019-02-28
Requested 2019-01-29
Requested by Michael Richardson
Authors Steve Lhomme, Dave Rice, Moritz Bunkus
Draft last updated 2019-02-11
Completed reviews Secdir Last Call review of -09 by Valery Smyslov (diff)
Genart Last Call review of -09 by Robert Sparks (diff)
Genart Last Call review of -13 by Robert Sparks (diff)
Secdir Last Call review of -13 by Valery Smyslov (diff)
Opsdir Last Call review of -13 by Shwetha Bhandari (diff)
Genart Telechat review of -14 by Robert Sparks
Assignment Reviewer Valery Smyslov
State Completed
Review review-ietf-cellar-ebml-09-secdir-lc-smyslov-2019-02-11
Reviewed rev. 09 (document currently at 14)
Review result Ready
Review completed: 2019-02-11

Review
review-ietf-cellar-ebml-09-secdir-lc-smyslov-2019-02-11

Reviewer: Valery Smyslov	
Review result: Ready

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.


The draft describes an Extensible Binary Meta Language (EBML)
format as a generalized file format for any type of data. As such
the EBML itself doesn't include any mechanisms providing
security services, besides marginal integrity check via crc32,
that is optional and limited in use. The EBML relies on external
mechanisms that would provide security services. 

The Security Considerations section describes various issues 
related to security that the EBML implementations should consider 
even in the presence of external cryptographic protection.
The list of issues seems to be quite exhaustive for the EBML.


Comment not related to security:
Section 2: BCP14 and RFC2119 are essentially the same document, 
I see no reason why they are referenced as different entities
in a single sentence.