Last Call Review of draft-ietf-core-resource-directory-24

Request Review of draft-ietf-core-resource-directory
Requested rev. no specific revision (document currently at 25)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2020-03-31
Requested 2020-03-10
Authors Zach Shelby, Michael Koster, Carsten Bormann, Peter Van der Stok, Christian Amsüss
Draft last updated 2020-03-14
Completed reviews Secdir Last Call review of -24 by Adam Montville (diff)
Genart Last Call review of -24 by Russ Housley (diff)
Genart Telechat review of -25 by Russ Housley
Assignment Reviewer Russ Housley
State Completed
Review review-ietf-core-resource-directory-24-genart-lc-housley-2020-03-14
Posted at
Reviewed rev. 24 (document currently at 25)
Review result Not Ready
Review completed: 2020-03-14


I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

Document: draft-ietf-core-resource-directory-24
Reviewer: Russ Housley
Review Date: 2020-03-14
IETF LC End Date: 2020-03-31
IESG Telechat date: Unknown

Summary: Not Ready

Major Concerns:

Section 7.3 says:

   ... the certificate is uniquely identified by the
   CN field and the serial number (see [RFC5280] Section

This is _not_ correct!  RFC 5280 says that the issuer name (not the CN)
and serial number uniquely identify a certificate!  The issuer name is
made up of may naming attributes, and the CN is one that MAY be present.
The list of naming attributes is given in Section of RFC 5280.

Note: Even if the conventions required by IEEE 802.1AR are followed, the
sentence is not correct.

The paragraph goes on to say:

   The RD can assign a unique endpoint name by using the certificate
   identifier as endpoint name.

I believe that this is correct, but it is not the common name (CN)
that makes it correct.  I think that some guidance ia needed here.

Section 7.3 says:

   Proof of possession of the endpoint
   name by the registering endpoint is checked by encrypting the
   certificate identifier with the private key of the registering
   endpoint, which the RD can decrypt with the public key stored in the

This only works if the certificate contains an RSA public key.  There
are algorithm independent ways to achieve this outcome.  With the push
for elliptic curve cryptography and post-quantum cryptography it is
important that this be reworded in an algorithm independent manner.

Section 7.3 says:

   Even simpler, the authorized registering endpoint can
   generate a random number (or string) that identifies the endpoint.
   The RD can check for the improbable replication of the random value.
   The RD MUST check that registering endpoint uses only one random
   value for each authorized endpoint.

Yes, but only if the random number is large enough.  Please offer
some guidance about the size.

Minor Concerns:

General: The document uses "Resource Directory", "resource directory",
and "RD" interchangeably.  I thin it would help the reader if just one
spelling was used throughout.

Section 2: Please update the first paragraph to reference RFC 8174
in addition to RFC 2119, as follows: 

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Also, please put this sentence in a separate paragraph:

   The term "byte" is used in its now customary sense as a synonym for

Further, the definition in Section 2 does not align with the document
Introduction, which says that an RD is used to register, maintain,
lookup and remove information on resources.  I think these should match.

Section 9.5 says:

   IPv4 - "all CoRE resource directories" address MCD2 (suggestion:, from the "IPv4 Multicast Address Space Registry".  As
   the address is used for discovery that may span beyond a single
   network, it has come from the Internetwork Control Block (224.0.1.x,
   RFC 5771).

I believe you want to make RFC 5771 a reference here.  I suggest:

  ... from the Internetwork Control Block (224.0.1.x) [RFC 5771].

In Figures 5 and 6, I am surprised to see the response end in a comma.
Looking at the examples in RFC 6690 and Section 10 of this document
none of them end in a comma.  Please make sure that these figures are

Appendix A:  Can the IPv6 addresses in this appendix be replaced with
ines from RFC 3849 or RFC 4193?


General: IDnits reports three instances of too long lines.

General: These two phrases are used:
- Resource Directory implementations using this specification ...
- Resource Directories implementing this specification ...
- An implementation of this resource directory specification ...
Please pick one, or (my preference):
- RD implementations of this specification ...

Abstract: Some places Resource Directory is spelled out.  Other places
RD is used.  Either spell it out just once or every time.

The captions for Figure 2 and Figure 3 include "E-R", but the text
about the figures uses "ER".  Please choose one spelling.

Section 3.5 includes " (machines -- endpoints) ".  The meaning of
double hypen is unclear to me.  Please use words.

Section 4 includes " (registrant-EPs / CTs, lookup clients, ...".  I
do not know the difference in meaning between the slash and the comma.

Section 8.1 has a typo: "... the et of endpoints ..."