Telechat Review of draft-ietf-cose-x509-07
review-ietf-cose-x509-07-iotdir-telechat-bormann-2020-10-19-00

Request Review of draft-ietf-cose-x509
Requested rev. no specific revision (document currently at 07)
Type Telechat Review
Team Internet of Things Directorate (iotdir)
Deadline 2020-10-19
Requested 2020-10-08
Requested by √Čric Vyncke
Authors Jim Schaad
Draft last updated 2020-10-19
Completed reviews Genart Last Call review of -07 by Vijay Gurbani
Secdir Last Call review of -07 by Charlie Kaufman
Iotdir Telechat review of -07 by Carsten Bormann
Assignment Reviewer Carsten Bormann 
State Completed
Review review-ietf-cose-x509-07-iotdir-telechat-bormann-2020-10-19
Posted at https://mailarchive.ietf.org/arch/msg/iot-directorate/QQ2TnS74WdVNaAaen090CUMpi1M
Reviewed rev. 07
Review result Ready with Issues
Review completed: 2020-10-19

Review
review-ietf-cose-x509-07-iotdir-telechat-bormann-2020-10-19

First, I would like to express my gratitude to Jim Schaad for having
done this work (and all the work that led up to making this work
possible).

The draft fills a gap where COSE is being used in conjunction with
infrastructure employing X.509-based validation of keys.  JOSE defined
the necessary parameters right away, while the use case for COSE was
less clear initially.

One criticism might be that the draft does not speculate on how
constrained devices could share tasks that need to be performed in
this use case with trusted less-constrained devices -- there are
probably infinite ways of doing so, and the ones actually to be used
should rather be discussed in the protocols that govern the
constrained--less-constrained communication.

The draft is ready with issues.

## Major

Section 1:

The draft points to examples to be found in the github repository
https://github.com/cose-wg/Examples -- these are not in there.
Either these examples need to be added or this sentence deleted.

## Minor

Section 2:

I'm not sure what "certificates of a chain length of..." actually
means -- the chain length is not an intrinsic property of a
certificate, but a function of what the application's roots are.
Maybe rephrase:

   These rules apply when the validation succeeds in a single step as
   well as when certificate chains need to be built.

The draft uses the term "bag" for what is meant to be a set.
Maybe stick with the "x5bag" parameter name and the prose "certificate
bag", but when saying what it is, say that it is a set.

## Nits

https://github.com/cose-wg/X509/pull/28