Deb Cooley has entered the following ballot position for draft-ietf-grow-nrtm-v4-09: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-grow-nrtm-v4/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- While I'm balloting 'no objection', I would like these comments to be carefully considered and addressed (not necessarily changes, if I have misunderstood). Thanks to Watson Ladd for their secdir review. Section 5.3, bullet 4, Section 5.4, bullets 6&8: Are these files signed? And if so, does the client validate the signature? Or only the hash? Is the hash algorithm the one that is specified in Section 6.4? Section 5.6: The mirror client only verifies the signature on the Update Notification File? Not on the Snapshot or the Delta files? Section 6.4: Consider mentioning that the jose registry referenced specifies both the hash and signature algorithm. It might be useful to state that the hash specified with the signature algorithm is the one that must be used. Section 7 and 8: I don't see anything about hashing the contents of these files? Much less which hash to use (the one specified in Section 6.4). Section 11, para 3: Doing a bit for bit comparison of a hash is not an integrity check. Does the Delta and/or Snapshot happen before the Update Notification File? If so, then that has shows where an error/attack has occurred. Section 11: There should be a short paragraph that explains the risks associated with compression algorithms. I can help write this paragraph, if needed. _______________________________________________ GROW mailing list -- [email protected] To unsubscribe send an email to [email protected]
