Hi Valery Here is my response to your comments, please let me know if this resolves the comments. ==================================== > 1. I believe that the security considerations from RFC 6712 should be either > echoed in this document (where applicable), or at least be referenced. <M.S.> The HTTP and CoAP are different but similar protocols, I have covered applicable security considerations in this draft: Consideration #1 in the RFC 6712 is echoed in following paragraph: The proxy however may itself be vulnerable to resource-exhaustion attacks as it's required to buffer the CMP messages received over CoAP transport before sending it to the HTTP endpoint. This can be mitigated by using short timers for discarding the buffered messages and rate limiting clients based on the resource usage. Consideration #2 in the RFC 6712 is covered as The CMP protocol depends upon various mechanisms in the protocol itself for making the transactions secure therefore, security issues of CoAP due to using UDP without cryptographic protections for message confidentiality and integrity, do not carry over to the CMP layer Consideration #3 in the RFC 6712 is not applicable to CoAP transport Consideration #4 in the RFC 6712 is covered as An EE may miss some of the Announcement messages when using CoAP Observe option [RFC7641] since Observe option is a "best-effort" approach and server can lose state about subscribers for announcement messages. The EEs may use alternate method described in section 2.6 to get time critical changes like CRL updates. And Consideration #5 is covered in the section 3 "Using CoAP over DTLS" of the draft. ==================================== >I think that Section 3 (Using CoAP over DTLS) should be moved to the >Security Considerations section, or be referenced from there. Can you please provide a reasoning on why section 3 should be referenced in the Security Considerations section? Part of it is covered in ==================================== > The CoAP is vulnerable due to the connectionless characteristics of UDP > itself. > should either be expanded of what particular vulnerabilities are meant (because > not all CoAP vulnerabilities are concerned with using UDP) or deleted. I believe following statement in the security considerations covers this: The Security considerations for CoAP are mentioned in the [RFC7252]. Thanks Mohit On Tue, Oct 18, 2022 at 4:54 AM Valery Smyslov via Datatracker <noreply@xxxxxxxx> wrote: > > Reviewer: Valery Smyslov > Review result: Has Nits > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like any other > last call comments. > > This document defines the use of Constrained Application Protocol > (CoAP) as a transport for the Certificate Management Protocol (CMP). > > Nits: > 1. I believe that the security considerations from RFC 6712 should be either > echoed in this document (where applicable), or at least be referenced. > > 2. I think that Section 3 (Using CoAP over DTLS) should be moved to the > Security Considerations section, or be referenced from there. > > 3. Section 5. I think that the sentence > > The CoAP is vulnerable due to the connectionless characteristics of UDP > itself. > > should either be expanded of what particular vulnerabilities are meant (because > not all CoAP vulnerabilities are concerned with using UDP) or deleted. > > > > _______________________________________________ > Ace mailing list > Ace@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ace -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
