Use of CryptoTransformKeyRevisionIntHolder alias in operation parameters

The DDS Security Specification 1.2 defines the CryptoTransformKeyRevisionIntHolder type as:

typedef int32 CryptoTransformKeyRevisionIntHolder;

The SPIs should use this type consistently where appropriate.
For example, activate_key_revision SPI uses CryptoTransformKeyRevisionIntHolder to type its key_revision parameter. However, the key_revision parameter of create_local_datawriter_crypto_tokens, create_local_datareader_crypto_tokens and create_local_datareader_crypto_tokens is an int32.

This should be changed so all these operations use CryptoTransformKeyRevisionIntHolder

Clarify section “9.8.10.2 Key Exchange with remote DataReader

The description in page 182 should clarify that that the participant can call create_local_datawriter_crypto_tokens multiple times (to get a crypto token sequence for different revisions).

2.2.3 (p. 96) The DataReader requests that liveliness of
the writers is maintained by the requested
means and loss of liveliness is detected with
delay not to exceed the lease_duration.
The DataWriter commits to signalling its
liveliness using the stated means at
intervals not to exceed the lease_duration.

Since both the DataReader and DataWriter have a lease duration, the reference to lease_duration is ambiguous.

2.2.3.11 (p. 107) Changes in LIVELINESS must be detected by the Service with a time-granularity greater or equal to the lease_duration. This
ensures that the value of the LivelinessChangedStatus is updated at least once during each lease_duration and the related
Listeners and WaitSets are notified within a lease_duration from the time the LIVELINESS changed.

Same problem, the reference to lease_duration could refer to the writer or the reader.

Other sections not mentioning the lease_duration may have similar problems.

The language around on_liveliness_changed implies that changes (listener, wait set) must be communicated at least once for every lease_duration of the DataReader.

The spec should clarify three things:
1. How often does the DataReader evaluate the liveliness of a DataWriter? Is this at a period of at most the DataReader's lease_duration or a period of at most the DataWriter's lease_duration?
2. When the DataReader evaluates the liveliness of a DataWriter, which lease_duration should it use, the lease_duration of the DataReader or the lease_duration of the DataWriter?
3. Are the rules for evaluating liveliness for the purpose of ownership the same as for listeners and waitsets? This question is particularly vexing because it can lead to inconsistency where ownership should be eventually consistent.

To illustrate the problem, consider the following a system using exclusive ownership.

• Writer 1 has a lease_duration of 1 second but only writes/asserts every 4 seconds. Ownership strength of 1.
• Writer 2 has a lease_duration of 1 second but only writes/asserts every 4 seconds. Ownership strength of 2.
• Reader 1 has a lease_duration of 2 seconds.
• Reader 2 has a lease_duration of 4 seconds.

Let events happen according to this sequence:

If we assume that the readers evaluate liveliness at a period of their own lease_duration using their own lease_duration, then Reader 2 will always see Writer 2 as the owner while Reader 1 will toggle ownership between the writers. Thus, there is no eventual consistency of exclusive ownership.

If we assume that the readers evaluate liveliness at a period of their own lease_duration using the lease_duration of the writer, then both readers will consistently toggle and never see a live writer.

If we assume that the readers evaluate liveliness independently for each writer at the lease_duration of the writer, then the readers will see ownership toggling but periods where writers are alive.

Ideally, liveliness would be objective and not subjective. That is, liveliness should be based on the behavior of the writer interpretted by its lease_duration. Different readers may observe different things leading to temporary inconsistency, but eventual consistency would be guaranteed.

If the spec choose a subjective approach, then language should be added that warns the reader of the problem and the consequences like ownership not working as expected.

When an annotation application definition has a simpgle paramater the application can omit the paramater name.

When an annotation application specifies multiple parameters it is possible to commit the parameter name for the parameter named "value" ,

This means that an annotation that was specified with a single parameter (not called value) which is then extended will need to be modified if a second paramater is added.

Instead it would be more flexible to say that the first paramater can be unnamed regardless of the name.

There are three problems.

1. The beginning of 7.3.1.2.1.11 says “Table 18. In some cases, this is not desirable. This default behavior may be modified using the @ignore_literal_names annotation.” It is unclear what exactly may not be desirable. Perhaps this was referring to the fact that enumerator names are used in the assignability check which indeed may be undesirable.

2. There is no way for `@ignore_literal_names` to be encoded in TypeObjects which means they are not used during discovery and cannot be used in assignability checks.

3. The text should clarify if this is an annotation that is only applied locally and/or applied to remotes.

The description of is_write_protected starts with "Indicates if read access". This should be "Indicates if write access."

The normative IDL doesn't have SecureSubmessageCategory_t, but it does have SecureSumessageCategory_t which appears to be a typo.

DDS Security 1.2 added two elements to the Governance XSD: enable_key_revision and rtps_psk_protection_kind.
These elements were added without specifying a value for minOccurs which according the XSD rules it would default to 1. The result of this is that existing governance documents would not be valid according to the XSD. This was not the intent

Instead the elements should have been added specifying minOccurs="0".

This change impacts the machine-readable file omg_shared_ca_governance.xsd

Would be useful to have support for @optional for union members. As IDL exceptions can be used through DDS-RPC also add exception members to this table, very likely to the ones that also are supported by structures

In the spec this section reads:

7.2.1.1 Type Evolution Example

Assume a DDS-based distributed application has been developed that uses the Topic “Vehicle
Location” of type VehicleLocationType. The type VehiclePositionType itself was defined
using the following IDL:

(quote)
// Initial Version
struct VehicleLocationType {
(quote)

VehiclePositionType in the second sentence should be replaced with VehicleLocationType

The specification is not consistent regarding which elements can be annotated. Specifically regarding typedef declartions.

Section 7.2.2.6 "Annotations" says:
"An annotation describes a piece of metadata attached to a type or an element/member/literal of an aggregated/collection/enumerated type. Annotations can also be attached to the related_type of an alias type."

However
section 7.3.1.2.1 (Built-in Annotations) says:

In IDL, an annotation may be applied to any construct or sub-construct
(see Sub Clause 7.4.15.2, [IDL]). This specification restricts the applicability of annotations to constructed types, bitmask constants, enumerated type literals, and members of aggregated types.

I believe the intent all along was to allow annotations, such as @range and @unit in typedef. Also would be nice to align with whet IDL4 says.

At a minimum in XTYPES we should remove the specification of where annotations apply from section 7.3.1.2.1 and instead reference 7.2.2.6.

The specification does not state clearly if a writer and and reader that have types with incompatible values of @unit or @range should match?

Also it is not clear as if both a complete TypeObject and a minimal TypeObject should be sent or just one and how it is decided.

It would seem like.a good idea to allow application (DataReaders) to opt in or out of matching writers that have types with incompatible @range and/or @unit. If so mechanisms should be provided to configure this and make sure the complete TypeIdentifier is propagated in those cases as the corresponding TypeObject is the only one that has the information of @range and @unit.

The specification should specify how string parameters should be escaped when used withing a query string, for example a query_expression of "name = 'bar'", but what if bar is a string with a single quote, newline, tab, etc? The specification should specify the escaping rules for that.

Pg 48 7.2.2.4.6 first sentence

For each Aggergated Type "T" the type system defines a related [...]

-> Aggregated

Pg 48 7.2.2.4.6 first sentence

[...] obtainied from "T" by removing the key designation

-> obtained

Pg 50 7.2.2.4.7 first sentence

[...] obtainied from "T" as follows:

-> obtained

Pg 54 Figure 19 label at aggregation arrow to AnnotationParameter

+paramter_seq

-> +parameter_seq

Pg 133 Table 38 4th row column meaning

Conditionally swaps the bytes [...] matches the native Endianess

-> Endianness

Pg 146 continuation of 7.4.3.5.3 4th line from top

// FMMEBER can be NOPT_FMEMBER [...]

-> FMEMBER

Pg 215 Table 60 4th column, header

Endianess

-> Endianness

Pg 248 continuation of Annex A 2nd para from top

<xs:simpleType name="autoIdKind">
  <xs:restriction base="xs:string">
    <xs:enumeration value="hash"/>
      <xs:enumeration value="sequencial"/>

-> <xs:enumeration value="sequential"/>

Pg 263 continuation of Annex B bottom of page

// Flags that apply to type declarationa and DO affect assignability

-> declarations

Pg 266 continuation of Annex B 3rd para from top

// Used for Types that have cyclic depencencies with other types

-> dependencies

Pg 268 continuation of Annex B approx 10 lines down

// ============ Plain collectios - use TypeIdentifierKind =========

-> collections

Pg 43 7.2.2.4.4.4.3 Member Index 2nd sentence

[...] of the member within the Aggegated type.

Pg 47 7.2.2.4.5 Inheritance of Aggregated Types 1st sentence

The Type System supports single inheritance of Aggegated Types.

Pg 49 continuation of 7.2.2.4.6 comment before union Command_TypeErased

// The related KeyErased type definition only applies to aggegated types.

Pg 51 continuation of 7.2.2.4.7 comment before union Command__KeyHolder

// The related KeyHolder type definition only applies to aggegated types.

On this last occurrence, is the double underscore in union Command__KeyHolder intentional?

The Resolution Summary of DDSXTY13-23 states:

Structure types can inherit from other structure types as long as:

• [...]
• The derived type does not define any key fields.
  Is this really what we want to do. Will it break some definition where the "base type" is just being reused as a "header"?

I propose to change the first sentence to

• The derived type does not define any key fields if any of its ancestor types is non nested.

This restores viability for the mentioned use case where the base type(s) are just being used as header(s).
It hinges on the assumption that if all base types are nested then the question of assignability does not arise at the topic level.

Some JSON schemas contain lack certain restrictions that are enforced in strict validations.

In section 10 and its subsections there are two properties that are named incorreclty in that a "." has been used instead of a "_". Specifically there are places in the section that use the names
"rtps_psk.secret_passphrase" and "rtps_psk.symmetric_cipher_algorithm"

These should be replaced with:
"rtps_psk_secret_passphrase" and
"rtps_psk_symmetric_cipher_algorithm"

Which are the names that appear in the "Configuration Properties" tables in the "Property Name" column.

This is related to https://issues.omg.org/issues/DDSXTY14-13, and it might actually be covered by it, but I can't read into the comments at the moment to see if this specific issue was mentioned. As mentioned in 7.2.2.2.1, strings should be either UTF-8 or UTF-16. @try_construct(TRIM) can cause strings to be truncated. If they are truncated in the middle of a UTF-8 multi-byte code point or UTF-16 surrogate pair, then it would leave invalid data at the end of the string. Ideally an implementation could read trim the strings intelligently, but the spec should say what the behavior is.

As defined create_sample can only return the sample object. This doesn't allow the API to indicate that there was an error unlike other calls in DDS. Other operations either can't normally fail, return an interface that can be null, or return a ReturnCode_t. At least in the C++ Language Mapping, create_sample can return a struct or a union by value, so it can't be null in those cases (section 5.11). I imagine this might be different in other mappings though.

Section 8.3.2.11.11 has no description of the permissions_token parameter

(This may be a moot point depending on the resolution of DDSSEC12-13.)

The row of Table 52 that describes validate_local_identity states that the QoS it receives must contain the properties defined in section 9.3.1. These properties are the ones starting with dds.sec.auth.

The problem is that for begin_handshake_* (either variant) to work, validate_local_identity must also receive the property dds.sec.access.permissions. This should be noted in the requirements for validate_local_identity: it must store the QoS, or at least this property, in a location that can be looked up by IdentityHandle so that handshake tokens can be created. Alternatively, the begin_handshake_* operations could be extended to receive this info separately.

Another connection between the two plugins is made by the PermissionsCredentialToken. If the intent is to use this data when generating handshake handles, that should be noted in tables 49-50 (c.perm) instead of referencing QoS policies there.

Section 8.8.9 specifies that when the crypto tokens are sent on the network,
BuiltinParticipantVolatileMessageSecureWriter is used so they are not sent in the clear. This detail is also described in 8.5.1.8.1 and other parts of 8.5.1.8.

Section 8.5.1.8.1 (2nd pgh) contains
...intended for transmission in "clear text" to the remote...
which contradicts 8.8.9.

To resolve this issue, remove a few unnecessary parts of 8.5.1.8:

• 8.5.1.8.1 2nd sentence of 2nd pgh "The returned CryptoToken sequence is intended..."
• 8.5.1.8.2 latter half of 2nd pgh starting "The CryptoToken sequence may contain..."
• 8.5.1.8.4 (similar content to 8.5.1.8.2)
• 8.5.1.8.6 (similar content to 8.5.1.8.2)

RTPS 2.4 added support for GROUP ordered access and coherent access. Part of this work added fields to the heartbeat submessage, one of which is a secureWriterSet.

This field shall contain the 32-bit xxHash32 of all of the writer EntityIds that are sent via secure discovery.

The use of this field should be mentioned somewhere in the security spec as the RTPS spec refers to the security specification to define the use of this field.

A new inline QoS was also added: PID_SECURE_WRITER_GROUP_INFO. This inline QoS should also be added to the security spec.

See the revised RTPS text here: DDSIRTP23-117

Table 63's entry for validate_remote_permissions describes a required interaction with the authentication plugin in order to obtain an AuthenticatedPeerCredentialToken. This appears to be an artifact of a previous spec revision, since the current API for validate_remote_permissions already provides the AuthenticatedPeerCredentialToken.

So that validate_remote_permissions makes more sense, remove the auth_plugin and remote_identity_handle parameters (Table 32, section 8.4.2.9.2, Table 63, IDL).

Section 8.7 specifies the optional Data Tagging model, but the details of how this works really reside in the Access Control plugin. Sections 1.2 and 2.3 need to be updated to remove references to a Data Tagging "Plugin." Also update section 8.1.1. For clarity, update section 8.7.2 to add a reference to Access Control.

In the IDL get_topic_sec_attributes's 3rd parameter has type TopicSecurityAttributes. In table 32 it appears as EndpointSecurityAttributes which seems to be an error.

Also Figure 10 calls this method get_topic_security_attributes instead of using "sec".

The name of field ac_endpoint_properties in ParticipantSecurityAttributes should be ac_participant_properties as specified in Table 27.

When the middleware calls Auth plugin operations begin_handshake_request and begin_handshake_reply, it must provide serialized_local_participant_data as an OctetSeq according to serialization rules described in 8.3.2.11.4-5. However, these sections do not specify that padding bytes in the serialized data should be initialized to 0. This is desirable so that the OctetSeq can be hashed with consistent results.

Alternatively, revisit the choice to use OctetSeq here in the plugin API. It seems like it would be fine to pass the structure ParticipantBuiltInTopicDataSecure directly to the plugin, as is already done with Access Control.

The class_id attribute in various Tokens includes the Plugin Name and a version number. The intention was that the version number would track the specification version so that it could be used to understand the format of the Token.

However this is not done consistently. Currently the following class_id are used:

As it can be seen some class_ids are missing the version number. The ones that have it use "1.0" instead of "1.1" which is the version of the spec. Finally when there are multiple tokens with the same class ID a suffix preceded by a "+" is uses to differentiate them, but this is not done in all cases.

The goal of this issue is to correct this irregularities. So DDS Security version 1.2 should modify the Token as follows:

Note that this change is not intended to break backwards interoperability. So the proposal could/should be adjusted to ensure that. Specifically the change in the name for the PermissionsCredentialToken should not impact interoperability as this token is not exchanged between participants. The same is true for the addition of the "+AuthPeer" to the AuthenticatedPeerCredentialToken.

The Builtin Authentication Protocol described in 9.3.4.2 'Protocol description' as well as in Table 52 'Actions undertaken by the operations of the builtin Authentication plugin' should be more explicit about how each of the protocol messages is validated.

Specifically it should prescribe that:

• Participant_A shall check the fields inside HandshakeReplyMessageToken and ensure that {Challenge1, Hash(C1), DH1}

  match what Participant A sent in the HandshakeRequestMessageToken.

• Participant_B shall check the fields inside HandshakeFinalMessageToken and ensure that {Hash(C1), Hash(C2), DH1, DH2, Challenge1, Challenge2}

  match what Participant B sent in the HandshakeRequestMessageToken.

This should be made clear both in 9.3.4.2 'Protocol description' and in Table 52 'Actions undertaken by the operations of the builtin Authentication plugin'.

The AES-CCM cypher suite used by the built-in authentication plugins is well suited for higher end processors that have hardware support for AES (e.g. the Intel AES-NI instructions and the the AES instructions in ARMv8).

ARMv7 and other low-end processors don't have hardware support. In these AES can be quite slow.

To better support lower end processors it would be good to add support for a cypher suite that has reasonable performance without hardware support. The industry seems to be converging around the ChaCha20. See:

https://tools.ietf.org/html/rfc8439
https://tools.ietf.org/html/rfc7905

Gerardo

There is only one <permissions> element in a permissions document, but it can contain multiple <grant> elements. Section 9.4.1.3.2.1 states "Each subject name can only appear in a single <permissions> Section"... which should be "single <grant> Section" and "A permissions Section with a subject name that doesn't match" should be "A grant Section with a subject name that doesn't match."

The "Domain Governance Document" and "DomainParticipant permissions document" chapters contain references to "IETF RFC 5761". This doesn't seem correct.

It seems that it should be "IETF RFC 2633". At least then the mentioned RFC sections fit.

Currently the INFO_SOURCE can only be protected by RTPS protection. This makes anyone on the Domain able to modify it. Moreover it must be left unprotected when communicating with unsecured participants.

It would be better if it was included into the DATA / DATA_FRAG submessge as an inlineQos

The IDL used by the specification should be updated to the latest IDL 4.2 syntax.

This specially impacts annotations. For example @Extensibility(MUTABLE_EXTENSIBILITY) has been replace with @mutable.

Section 9.6 'Builtin Logging Plugin' should specify the Qos used to publish and subscribe to the BuiltinLoggingTopic, similar to how it is done for other builtin topics introduced by DDS-Security.

See for example how it is done for the DCPSParticipantMessageSecure builtin Topic (section 7.4.2) where it refers to the Qos of other builtin Topics and also how it is done for the TopicBuiltinParticipantVolatileMessageSecureWriter and BuiltinParticipantVolatileMessageSecureReader (section 7.4.4.2 ) where it defines it explicitly.

8.5.1.9.4 (4th pgh) describes that encode_rtps_message may determine that no encoding is necessary. This is currently an awkward fit with the common API design of returning a boolean and "setting" or "not setting" an exception struct. What does "not setting" the exception struct mean in practice? How does an implementation portably handle this?

It would be better to have an enum or integer return type so that the plugin can more directly influence the implementation's control flow, with distinct return values for OK_ENCODED, OK_NOT_ENCODED, ERROR, possibly others.

A similar issue occurs with decode_rtps_message (8.5.1.9.5). Because key exchange happens asynchronously with respect to encoded message transmission, the plugin may not be able to decode a given message. Simply "returning an exception" in this case is not ideal since the calling code should probably log this exception and it may raise alarms.

Extending this idea of enum (or integer constants) return types instead of boolean to other CryptoTransform operations may also be useful. For example, the other encode operations could return a OK_NOT_ENCODED instead of copying data.

The Permission File is an XML file. The signature is also encoded as text. For large systems with a lot of Topics the size can grow to be quite big. This is amplified by the fact that it is possible and convenient to combine the permissions of multiple participants into a single file. This size can exceed the 64KB max size of IP.

An additional problem is that the permissions file is sent during the authentication handshake. The authentication handshake uses a special "best efforts stateless" that does not support fragmentation of large packets. This is done on purpose to make the channel to be robust to sequence number attacks but it results on the inability to send these large permission files.

This could be addressed by separating the permissions from the authentication handshake and there is already an issue filed for this, see DDSSEC12-13.

However there is a simple solution that can make the current approach more scalable. The proposed approach is to send the Permissions document compressed rather than in their current text form.

Users are already hitting this limit so this issue requests that capability to send the permissions compressed is added with high priority, even if later a more general solution is developed as requested in DDSSEC12-13.

The RTPS specification allows implementations to send implementation-specific RTPS sub-messages inside an RTPS message. These submessages are distinguished by having submessageId's within a specific range.

Prior to DDS security skipping implementation-specific RTPS sub-messages was very efficient requiring only the receiver to jump their length indicated in. the header.
However with DDS security the submessages can be encrypted inside a SRTPS_PREFIX/SUFFIX envelope this requires the receiver to always decrypt them even if it will end up skipping them.
An extreme, but likely common case is when the SRTPS_PREFIX/SUFFIX contains exclusively implementation-specific RTPS sub-messages which makes the effort to decrypt the RTPS message fruitless.

A way to resolve this would be to designate a flag in the SRTPA_PREFIX submessage to indicate that the content contains only vendor-specific submessages. A receiver can use this flag to skip the whole RTPS message avoiding the effort to decrypt i n the event that the sender vendorId does not match the receiver's.

The proposal therefore is to designate the leftmost flag of the SRTPS_PREFIX submessage to indicate it contains only "vendor specific content".

Handles that are allocated by plugins need to have a "return" operation so that the memory used by the plugin can be freed when the handle is no longer needed by the middleware.

boolean return_permissions_handle(in PermissionsHandle handle,
  inout SecurityException ex);

check_remote_datawriter_register_instance defined in 8.4.2.9.15 has these parameters: permissions_handle, reader, publication_handle, key, exception.

In the IDL file and Table 32 in 8.4.2.9 there's also an instance_handle parameter, which should be removed.

The operations get_topic_sec_attributes, get_datareader_sec_attributes and get_datawriter_sec_attributes are missing from Table 63 - Actions undertaken by the operations of the bulitin AccessControl plugin.

It would be helpful to implementors to include some known implementation best-practices in the CryptoTransform

The specification provides mechanisms to extend the set of cryptographic algorithms in future revisions.
The specification also provides mechanisms to extend the set of cryptographic algorithms by a single vendor without requiring a revision of the standard. Those extended algorithms will be understood by the vendor and ignored by others.
What is not clear is if two vendors can agree to use another cryptographic algorithm and interoperate. This use-case may be relevant to an end-user that is using multiple vendors and wants to have those vendors work together to use a new crypto algorithm

This issue requests some mechanism to support this last use case.

The RTPS spec allows a single RTPS message to contain multiple INFO_SRC submessages, effectively changing the Participant GUID of the sending Participant.

This seems problematic for DDS Security since the cryptograophic material is tied to that Participant GUID (e.g. the RTPS protection).
Also INFO_SRC does not work well with the new RTPS_HEADER_EXTENSION.

How commonly is this capability used? It is worth finding a way to make DDS-Security work with it or would it be better to disallow it.

Should it be disallowed just for DDS-Security or for DDS in general?

When "performing authentication only," the encode_serialized_payload operation wraps the SerializedPayload inside CryptoHeader and CryptoFooter. This resulting byte stream takes the place of the original SerializedPayload submessage element in a Data(Frag) submessage.

On the receiving side, this modified submessage element is passed to decode_serialized_payload. The problem comes in parsing this CryptoHeader-SeralizedPayload-CryptoFooter group.

The CryptoHeader is of fixed size and only contains octet-width data (therefore has no padding), so parsing it and determining where SerializedPaylod starts is trivial.

Then the implementation needs to determine where SerializedPayload ends in order to determine which bytes to authenticate. There is no in-stream indication of where the SerializePayload ends.

One possibility would be to look at the end of the byte sequence that decode_serialized_payload received and "step backwards" by the length of the CryptoFooter, however the CryptoFooter is variable length (with receiver_specific_macs). Even if the implementation has external knowledge that receiver_specific_macs are not in use, the alignment requirement of the plugin_sec_tag.receiver_specific_macs.length effectively makes this a variable-length element (also see issue #58).

To resolve this, an additional element for "length" could be added before the SerializedPayload, just like the CryptoContent submessage element does. This would make parsing the encoded payload similar for the encrypt and auth-only cases.

domainId is not listed in section 8.4.2.9.12

In 9.5.3.3.4.2 remove this part:
"Note that the cipher operations have 16-byte block-size and add padding when needed. Therefore the secure data.length (“N”) will always be a multiple of 16."

AES-GCM doesn't add padding. The implication of this is that the CryptoContent Submessage Element may end at an arbitrary point in the stream (from the point of view of alignment). Bringing the stream "back into alignment" will depend on the usage context:

• When encoding payload, the CryptoFooter follows directly after CryptoContent. This means that CryptoFooter's first element (common_mac) may start unaligned. Then receiver_specific_macs.length appears in the stream as a 32-bit value so it will be preceded by 0-3 padding bytes depending on the length of CryptoContent.
• When encoding a submessage or full message, CryptoContent is followed by the start of another submessage which must be aligned to 4 per the RTPS spec.

9.5.3.3.6 "The message digest is computed on the crypto_header and the ciphertext."

This statement appears to contradict the descriptions of common_mac and receiver_specific_macs in 9.5.3.3.4.4 (payload), 9.5.3.3.4.5 (submessage), and 9.5.3.3.4.6 (message).

XML Schema doesn't use all-caps TRUE and FALSE.
https://www.w3.org/TR/xmlschema-2/#boolean

In the Table 70 row for register_local_datareader, the ReaderKeyMaterial is created based on Data Protection Kind. This should be Metadata Protection Kind because the ReaderKeyMaterial signs/encrypts submessages and not data payloads.

The term CryptoKeyTransform is used 3 times (section name of 9.5.3.3, text of 9.5.3.3.1, caption of Table 72). These should be CryptoTransform.

Section 9.3.1.3 (Identity Certificate) indicates it is possible to use certificate chains.

However the language of this section is confusing because an X.509 v3 Certificate does not contain a chain. It is a single certificate. What can contain a chain of certificates is a file. E.g. the standard "PEM" file format referenced in Table 44 can contain a certificate chain.

To clarify this the following modifications are suggested:
(1) In table 44, row for "identity_certificate" change from:
"URI to a X509 certificate signed by the IdentityCA in PEM format"...
To
"URI to a X509 certificate (or certificate chain) signed by the IdentityCA, either as the root CA or as an intermediate CA, in PEM format"

(2) In section 9.3.1.3 change from:
"An X.509 v3 Certificate [39] that chains up to the Identity CA (see 9.3.1.1)."
To:
"A X.509 v3 Certificate chain [39] that is signed by the Identity CA (see 9.3.1.1) either as the root or as an intermediate CA in the chain"

(3) In section 9.3
In bullet 3. Clarify it may not be a single X.509 rather it can be a chain.

(4) In table 49, field "c.id" indicate this is not a single certificate but a certificate chain. As that is what was configured in the PropertyQosPolicy.

(5) In table 50, field "c.id" indicate this is not a single certificate but a certificate chain. As that is what was configured in the PropertyQosPolicy.

(5) In table 52, field "validate_local_identity" indicate this is not a single certificate but a certificate chain.

(6) In Table 53 IdentityCertificate is undefined. Maybe it should be "identity_certificate" and refer to the property defined in Table 44.

The behavior of the built-in CryptoKeyFactory operations is described in Table 70. Many entries of this table include direct references to details of the built-in Access Control plugin's configuration file (an example, "see 9.4.1.2.5.6").

It would be easier to follow and more modular if this was changed to instead reference the data structure that the CryptoKeyFactory can actually see, which in this case is ParticipantSecurityAttributes.