Kathleen, CoRIM Document review comments
Section 9.2.2.1
Am I reading correctly that the validation occurs according to the appropriate specification and that the process is already detailed elsewhere so that there are set methods and fields (or equivalent) so that the process can be followed? The text in this section could state that more explicitly and to look up in the respective documents the appropriate method to use for the cryptographic validation of evidence. I had to read through the examples a few times to get to that conclusion.
Greetings!
I reviewed the CORIM draft in an effort to push this along and it looks ready to move to the next stage. For the debate on 1 or 2 documents, I think one is easier. We can progress it sooner and in my review, I found myself searching around the document for term references. When you break up a document, it will take multiple passes to get it right. I'd prefer to move along and keep it as one to avoid the need for cross referencing documents and potentially making the set longer.
I just have a few questions from my review.
Section 9.4.3
For the byte-by-byte comparison, are there any internationalization considerations? I see for the binary comparisons, STD94 is referenced.
Section 11
This covers the systems aspects well. Are there other considerations such as bounds checking or content validation to assist with preventing exploits on the comparisons? I see there are many references, so this would need to consider those references in implementations, but I would assume the secure programming practices should be included in this section as well.
I'll progress this to the next steps if agreed and would like my questions answered.
Kathleen, CoRIM Document review comments
Section 9.2.2.1
Am I reading correctly that the validation occurs according to the appropriate specification and that the process is already detailed elsewhere so that there are set methods and fields (or equivalent) so that the process can be followed? The text in this section could state that more explicitly and to look up in the respective documents the appropriate method to use for the cryptographic validation of evidence. I had to read through the examples a few times to get to that conclusion.
Greetings!
I reviewed the CORIM draft in an effort to push this along and it looks ready to move to the next stage. For the debate on 1 or 2 documents, I think one is easier. We can progress it sooner and in my review, I found myself searching around the document for term references. When you break up a document, it will take multiple passes to get it right. I'd prefer to move along and keep it as one to avoid the need for cross referencing documents and potentially making the set longer.
I just have a few questions from my review.
Section 9.4.3
For the byte-by-byte comparison, are there any internationalization considerations? I see for the binary comparisons, STD94 is referenced.
Section 11
This covers the systems aspects well. Are there other considerations such as bounds checking or content validation to assist with preventing exploits on the comparisons? I see there are many references, so this would need to consider those references in implementations, but I would assume the secure programming practices should be included in this section as well.
I'll progress this to the next steps if agreed and would like my questions answered.