Reviewer: Ines Robles Review result: Ready with Issues I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <https://wiki.ietf.org/en/group/gen/GenArtFAQ>. Document: draft-ietf-cose-cwt-claims-in-headers-06 Reviewer: Ines Robles Review Date: 2023-10-17 IETF LC End Date: 2023-10-20 IESG Telechat date: Not scheduled for a telechat Summary: This document describes how to include CBOR Web Token (CWT) claims in the header parameters of any COSE structure. The document is well written, I have minor issues, nits indicated below. Major issues: None Minor issues: 1- Section 3: "Some of the registered CWT claims may contain privacy-sensitive information. Therefore care must be taken when expressing CWT claims in COSE headers." --> What kind of care?, there is some specific guidelines to follow? could you add an example? or add some reference? 2- Section 4: Detached Signatures: The security section does not delve into the security considerations of using detached signatures. Since detached signatures are one focus of the functionality, it might be helpful to discuss the security implications specific to them. Claims in Headers: Considering that some claims can be available before decryption or without inspecting the payload, perhaps it would be nice to discuss the risks associated with exposing claims in this manner, or add reference? Data Consistency: Is there a security angle to ensuring that claims present both in the payload and header are identical, beyond just verification?. It seems that these items are not included in the security considerations of RFC 8392, What do you think? Nits/editorial comments: 3- It would be nice to expand JWT the first time of use -> JSON Web Token (JWT) 4- It would be nice to have a caption for Table 1 5- Table 1: "TBD (requested assignment 13)", the 13 was assigned to kcwt, so maybe suggest another value? Thanks for this document, Ines. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
