IETF Last Call Review of draft-ietf-core-href-27
review-ietf-core-href-27-secdir-lc-velvindron-2025-10-22-00
| Request | Review of | draft-ietf-core-href |
|---|---|---|
| Requested revision | No specific revision (document currently at 30) | |
| Type | IETF Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2025-07-29 | |
| Requested | 2025-07-08 | |
| Authors | Carsten Bormann , Henk Birkholz | |
| I-D last updated | 2025-12-18 (Latest revision 2025-11-21) | |
| Completed reviews |
Genart IETF Last Call review of -23
by Joel M. Halpern
(diff)
Secdir IETF Last Call review of -27 by Loganaden Velvindron (diff) Artart IETF Last Call review of -23 by Arnt Gulbrandsen (diff) |
|
| Assignment | Reviewer | Loganaden Velvindron |
| State | Completed | |
| Request | IETF Last Call review on draft-ietf-core-href by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/EitB0jDLdjObuNxWOcx61zJNa8A | |
| Reviewed revision | 27 (document currently at 30) | |
| Result | Has nits | |
| Completed | 2025-10-22 |
review-ietf-core-href-27-secdir-lc-velvindron-2025-10-22-00
Thank you to the authors for the hard work on this draft. "Parsers of CRI references must operate on input that is assumed to be untrusted. This means that parsers MUST fail gracefully in the face of malicious inputs. Additionally, parsers MUST be prepared to deal with resource exhaustion (e.g., resulting from the allocation of big data items) or exhaustion of the call stack (stack overflow). See Section 10 of RFC 8949 [STD94] for additional security considerations relating to CBOR." Aside from failing gracefully, can we suggest to include mitigations like sandbox the parser to avoid Code Execution ?