[COSE] Comments on draft-ietf-cose-rfc8152bis-struct-07 and draft-ietf-cose-rfc8152bis-algs-06

Thu, 21 Nov 2019 14:28:36 -0800 

Comments on draft-ietf-cose-rfc8152bis-struct-07 and 
draft-ietf-cose-rfc8152bis-algs-06

General:

 - Minor note: The abstracts of the documents have minor differences and the 
subsections in the introductions have differ orders.

 - As RFC 8610 is published now, shouldn’t the documents be updated to match 
the final CDDL grammar?

draft-ietf-cose-rfc8152bis-struct-07:

 - "There has been an increased focus on small, constrained devices"

   I think the document should mention constrained radio technologies as well

- "strings" are used in in various places. Should be changed to "byte string" 
or "text string" as CBOR has two types of strings

- "3.  The content of the message.  The content is either the plaintext or the 
ciphertext as appropriate."

  This seems to only describe encryption. For signatures and MACs it would be 
payload, signature/tag.

- "structure", "message", "object", "map", "array", "object structure", 
"message structure", "data object", "structure object", "map object", "array 
object", "data structure", "data item", "CBOR structures", "COSE structure", 
"COSE map", "CBOR map", "CBOR object", "COSE object"

  There is a large amount of terms used in the documents. I feel that they 
could be defined a bit more. Also, are all of them really needed?

- OLD "The set of protected header parameters wrapped in a bstr."
  NEW "The set of protected header parameters as a map wrapped in a bstr."

- The draft has quite a lot of text on different types of signatures like 
signatures with message recovery. Would be good to have some sentences on 
signatures with and without state. The text on signatures is also missing that 
they provide data authentication, integrity protection, and provides 
non-repudiation.

- "They provide either no or very limited data origination."
  This sentence occurs in several places. The term "data origination" seems to 
not be used very much and also have different meanings.
  E.g. the book "Information Security:   Dictionary of Concepts, Standards and 
Terms" defines it as
     "data origination. In computing, the translation of information from its 
original form into machine readable form or directly into electrical signals."

Could we replace "data origination" with "non-repudiation"?

- "digesst"
- "stucture"

draft-ietf-cose-rfc8152bis-algs-06

- "the the"

Cheers,
John

_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose

Reply via email to