On Tue, Jul 04, 2017 at 08:47:16AM +0000, Wang Haiguang wrote: > Dear all, > > This Haiguang Wang from Huawei Technology. > > I have submitted an IETF draft on using ECCSI public key for > authentication over TLS protocols. It is the first version, so the > draft still have a lot of spaces to improve.
Some feedback: - I see the certificate message has single opaque field. This is the same as RPK, but isn't trivially mappable to TLS 1.3. See TLS 1.3 draft section 4.4.2 on how TLS 1.3 handles RPK. - I think you shouldn't duplicate existing arms in TLS structures. See RFC 4279, section 4 for one example on omitting such arms. - I think you shouldn't duplicate definitions of ClientCertificateType and ServerCertificateType. Leave that to RFC 7250 and TLS 1.3 RFC. You just need the certificate type value. - I think you shouldn't define a new key exchange algorithm, but use ECDHE_ECDSA instead (like EdDSA does). Then get a new TLS 1.3 signatureScheme value, which decomposes to the corresponding TLS 1.2 values (see RFC4492bis for an example). However, this requires TLS 1.2 or newer, but that should not be a problem. - The proposed ciphersuites are really bad. No new blockmode or stream- mode ciphers should be defined (especially blockmode, those are almost impossible to implement in secure way). If ECDHE_ECDSA is used, one avoids allocating any new ciphersuites. - Security considerations missing. - IANA considerations missing, should ask for allocation of all new codepoints (and that one OID). - References section is duplicated. -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
