I think "Ready with Nits" is probably closest to my feelings, see below. This document is an excellent overview of all the wonderful things that have gone on in the UUID world, and the various properties that various UUID generation methods and formats do or do not have. There's lots of information scattered throughout the document about important pitfalls to take into account when using UUIDs in software projects, many of which have potential security implications. My worry is that the vast majority of them will be missed by potential implementors. I think the document would be vastly improved if the security considerations section were expanded to list a variety of security-relevant properties (for example, guaranteed uniqueness), and also an easy to read table showing which UUID generation methods do / do not have the desired properties. This would greatly assist implementors who are looking for a UUID method / format that has the properties they want, and would help security reviewers to be able to quickly determine the properties (or lack thereof) of a certain kind of UUID, and use that as input to a security analysis about how UUIDs are used. I would encourage the authors to think about whether they agree such a summary of security properties would be helpful, and consider adding it. -Tim -----Original Message----- From: IETF-Announce <ietf-announce-bounces@xxxxxxxx> On Behalf Of The IESG Sent: Tuesday, July 25, 2023 2:17 PM To: IETF-Announce <ietf-announce@xxxxxxxx> Cc: uuidrev@xxxxxxxx; mcr+ietf@xxxxxxxxxxxx; uuidrev-chairs@xxxxxxxx; draft-ietf-uuidrev-rfc4122bis@xxxxxxxx Subject: Last Call: <draft-ietf-uuidrev-rfc4122bis-08.txt> (Universally Unique IDentifiers (UUID)) to Proposed Standard The IESG has received a request from the Revise Universally Unique Identifier Definitions WG (uuidrev) to consider the following document: - 'Universally Unique IDentifiers (UUID)' <draft-ietf-uuidrev-rfc4122bis-08.txt> as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@xxxxxxxx mailing lists by 2023-08-08. Exceptionally, comments may be sent to iesg@xxxxxxxx instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification defines the UUIDs (Universally Unique IDentifiers) and the UUID Uniform Resource Name (URN) namespace. UUIDs are also known as GUIDs (Globally Unique IDentifiers). A UUID is 128 bits long and is intended to guarantee uniqueness across space and time. UUIDs were originally used in the Apollo Network Computing System and later in the Open Software Foundation's (OSF) Distributed Computing Environment (DCE), and then in Microsoft Windows platforms. This specification is derived from the DCE specification with the kind permission of the OSF (now known as The Open Group). Information from earlier versions of the DCE specification have been incorporated into this document. This document obsoletes RFC4122. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-uuidrev-rfc4122bis/ No IPR declarations have been submitted directly on this I-D. _______________________________________________ IETF-Announce mailing list IETF-Announce@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf-announce -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
