On Wed, Aug 17, 2016 at 02:49:52PM -0700, Eric Rescorla wrote: > Folks, > > I've just submitted draft-ietf-tls-tls13-15.
Doing brief review: - Section 4.2.2 talks EdDSA using "ECDSA cipher suites". TLS 1.3 does not have those. However, this kind of information is very relevant for TLS 1.2 backward compatiblity: you need to assign TLS 1.2 cipher suites for EdDSA in order to use it in TLS 1.2. TLS 1.3 does not care either way. - I note that accepting PSK and selecting the auth mode seem to be in separate messages, which seems quite annoying implementation- wise.. - Can the server send arbitrary certificate in response to PSK or is it somehow restricted? The document does not seem to talk about it. - The HelloRetryRequest is problematic in pure-PSK case[1]. [1] One way to do it would be to move the group to extension, which would only be sent if new group was needed. Then one could always require at least one extension (the field could also be renamed). Also, one could make it so that HRR extensions don't have to correspond to CH extensions (and unsupported one is a fatal error). -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
