Hi Orie, Thanks for the review. Please see inline
On Sun, 4 Aug 2024 at 23:27, Orie Steele via Datatracker <[email protected]> wrote: > Orie Steele has entered the following ballot position for > draft-ietf-opsawg-mud-tls-15: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud-tls/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > # Orie Steele, ART AD, comments for draft-ietf-opsawg-mud-tls-15 > CC @OR13 > > > https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-tls-15.txt&submitcheck=True > > ## Comments > > ### normative should? > I can't think of any valid exceptions why alerts won't be triggered for parameters that are susceptible to attacks. We can replace "should" with "MUST" > > ``` > 972 * If the MUD (D)TLS profile includes any parameters that are > 973 susceptible to attacks (e.g., weaker cryptographic > parameters), an > 974 alert should be triggered to the firewall vendor and the IoT > 975 device owner or administrator. > ``` > > ### normative MUST? > > ``` > 1070 consideration. The middlebox must adhere to the invariants > discussed > 1071 in Section 9.3 of [RFC8446] to act as a compliant proxy. > Yes, updated. > ``` > > ## Nits > > ### Strongly NOT RECOMMENDED? > > ``` > 1216 It is strongly RECOMMENDED to avoid a (D)TLS proxy whenever > possible. > ``` > > Might be better phrased as "The use of (D)TLS proxies is NOT RECOMMENDED." > Works for me, fixed. Cheers, -Tiru
_______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
