Hi list, I am sorry for the very late answer concerning draft 18, but we (ANSSI) have several remarks after proof-reading the current specification.
We are sorry for the multiple long messages. If the WG is interested by some of our concerns/proposals, we would be glad to propose some PRs. = PSK and PSK Binder = P.35 (4.2), it is specified that the pre_shared_key extension must be the last extension in the ClientHello, because of the way the PSK Binder is computed. This seems very hackish and will most certainly lead to implementation errors. However, I understand that it was not easy to propose a cleaner mechanism while keeping a common flow between *DHE and PSK modes. Yet, we would have preferred that PSK would not be MTI as stated in the end of the document (P.81, section 8.2). In previous versions PSK and resumption was not MTI, so it might be logical to keep it this way. Alternatively, we might propose a profile defining a simpler TLS subset. Regarding the definition of the PSK Binder (P. 45 and 46, section 4.2.6.1), we found it very hard to read, since the binding value is said to be computed as the Finished message, but differently. In particular, it would be useful to give the relevant information (I believe the Handshake Context is called transcript in this section, and it would be important to explicit the Hash to use), instead of implying it. It would not take much space in the document, but it would ensure implementers know how to compute the binder. Olivier Levillain _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls