Skip to main content

IETF Last Call Review of draft-ietf-core-oscore-groupcomm-26
review-ietf-core-oscore-groupcomm-26-genart-lc-kyzivat-2025-07-23-00

Request Review of draft-ietf-core-oscore-groupcomm
Requested revision No specific revision (document currently at 28)
Type IETF Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2025-07-29
Requested 2025-07-08
Authors Marco Tiloca , Göran Selander , Francesca Palombini , John Preuß Mattsson , Rikard Höglund
I-D last updated 2026-07-01 (Latest revision 2025-12-23)
Completed reviews Genart IETF Last Call review of -26 by Paul Kyzivat (diff)
Artart IETF Last Call review of -26 by Patrik Fältström (diff)
Secdir IETF Last Call review of -26 by Mališa Vučinić (diff)
Tsvart IETF Last Call review of -26 by Joerg Ott (diff)
Tsvart Telechat review of -27 by Joerg Ott (diff)
Assignment Reviewer Paul Kyzivat
State Completed
Request IETF Last Call review on draft-ietf-core-oscore-groupcomm by General Area Review Team (Gen-ART) Assigned
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/KGkn8XSWP2Jte8VPy0x4B-nyls4/
Reviewed revision 26 (document currently at 28)
Result Ready w/issues
Completed 2025-07-23
review-ietf-core-oscore-groupcomm-26-genart-lc-kyzivat-2025-07-23-00
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-core-oscore-groupcomm-26
Reviewer: Paul Kyzivat
Review Date: 2025-07-23
IETF LC End Date: 2025-07-29
IESG Telechat date: ?

Summary:

This draft is on the right track but has open issues, described in the 
review.

Comment:

This document notes "Readers are expected to be familiar with" (a 
daunting list of things). This was very challenging for a reviewer, who 
is not. But I did read the whole document. I am incompetent to raise 
issues about the essence of this document. Rather, I have focused on 
more superficial aspects.

ISSUES: 4
NITS: 4

1) ISSUE

Section 2.6.2 says:

"If an implementation's integers support wrapping addition, the 
implementation MUST treat the Sender Sequence Number space as exhausted 
when a wrap-around is detected."

I think I understand the issue, but question how it is stated. Just 
because the implementation does wrapping addition on integers shorter 
than 40 bits, that doesn't mean the implementation isn't capable to 
doing proper 40 bit arithmetic. There must be a better way to say this. 
Perhaps:

"An implementation must treat the Sender Sequence Number space as 
exhausted  when the Sender Sequence Number approaches the maximum value 
it can properly increment."

Also, if an implementation has difficulty handling 40 bit integers, 
won't that also be a problem if it *receives* big sequence numbers?

2) ISSUE

Section 6 says:

"An endpoint MUST be able to distinguish between a Security Context to 
process OSCORE messages ... and a Group OSCORE Security Context ... To 
this end, an endpoint can take into account ... Alternatively, 
implementations can ..."

Why offer alternatives? Why not specify a single unambiguous method?
If there is reason, it would be good to discuss the pros and cons.

3) MINOR ISSUE

Section 2.4 says "The authentication credential of the Group Manager 
SHOULD be encoded according to that same format."

There is no discussion of what conditions would justify violating the 
SHOULD. Without this, many implementers treat SHOULD as MAY. My general 
rule is that every SHOULD must specify that alternative.

4) MINOR ISSUE

Section 7.5 specifies External Signature Checkers. But I couldn't find 
any explanation of their purpose.

I leave it to the authors to decide if there ought to be such an 
explanation.

5) NIT

The Abstract uses "CoAP" acronym without expansion. (Its defined in the 
Intro.) I think this isn't allowed in abstracts, which often stand 
alone. Please expand it in the abstract.

6) NIT: Typo

Section 3.3 says:

"A. and then XOR with X bytes from the Common IV's start, where X is the 
length in bytes of the nonce."

I think the above has a typo that can be fixed by s/A/4/

7) NIT

There is a minor grammatical mistake in section 4:

s/was intended for./was intended./

8) NIT

The IdNits tool reports a number of issues. Many are spurious, but there 
are several downrefs that should be evaluated.