Re: [Gen-art] review of draft-ietf-tls-grease-03.txt

2019-08-23 Thread Benjamin Kaduk
On Wed, Aug 21, 2019 at 05:55:44PM -0400, David Benjamin wrote:
> On Wed, Aug 14, 2019 at 4:09 AM Francis Dupont 
> wrote:
> 
> >  - 5 page 7: I have a concern about your use of the term random. In fact
> >   even it is a security document here random is just plain English
> >   (vs any crypto meaning). Constraints seems to be:
> >* coverage: the set of used values should not be small
> >* privacy: fingerprinting should not be easy
> >   I do not propose any solution: just follow recommendations of
> >   the security directorate in the case this point is a problem.
> >
> 
> Ack. +Benjamin Kaduk , do you have preferences on this? I
> don't think the requirements on "random" are particularly strong, so I
> don't know if we should prescribe cryptographic randomness. At the same
> time, it is perhaps odd to just say "random".

I think it's okay to just say "random" here.  There's no harm if someone
chooses to use cryptographic randomness, but it's also okay to make a
predictable choice (by using poor-quality randomness to guide what is, in
essence, an arbitrary selection).

-Ben

> My implementation just draws from the PRNG because it's easy, but if the
> values are predictable, it doesn't expose user-fingerprinting surface,
> which is the more important one. (User-fingerprinting would come more from
> doing something stateful or user-specific.) It does expose
> implementation-fingerprinting surface, but even sending GREASE does so too.
> TLS is full of implementation decision and policy points (e.g. the entire
> ClientHello), nearly every one of which contributes to the implementation
> fingerprint. :-/

___
Gen-art mailing list
Gen-art@ietf.org
https://www.ietf.org/mailman/listinfo/gen-art


[Gen-art] review of draft-ietf-tls-grease-03.txt

2019-08-14 Thread Francis Dupont
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

.

Document: draft-ietf-tls-grease-03.txt
Reviewer: Francis Dupont
Review Date: 20190803
IETF LC End Date: 20190812
IESG Telechat date: 20190822

Summary: Ready

Major issues: None

Minor issues: None

Nits/editorial comments:
 - ToC page 2 and 8 page 11: Acknowledgements -> Acknowledgments

 - 5 page 7: I have a concern about your use of the term random. In fact
  even it is a security document here random is just plain English
  (vs any crypto meaning). Constraints seems to be:
   * coverage: the set of used values should not be small
   * privacy: fingerprinting should not be easy
  I do not propose any solution: just follow recommendations of
  the security directorate in the case this point is a problem.

Regards

francis.dup...@fdupont.fr

___
Gen-art mailing list
Gen-art@ietf.org
https://www.ietf.org/mailman/listinfo/gen-art