Hi Watson, Apologies for the delay. I filed this issue to track your feedback:
https://github.com/tlswg/external-psk-design-team/issues/41 I think the issues and editorial suggestions you make are sound. I'll propose some text soon. Best, Chris On Mon, Jul 6, 2020, at 12:47 PM, Watson Ladd wrote: > Dear WG, > > I've taken a look at the draft and I think while its discussion of the > properties and limitations of the external PSKs are good, I think the > recommendations in section 7 could use some minor editorial work. > > In particular "SHOULD be combined with a DH exchange for forward > secrecy." I would like to see rephrased to make clear that this is > about the TLS PSK Key Exchange Mode. It wasn't immediately clear to me > on first read, especially given the next sentence is (maybe) about key > establishment outside of TLS. > > "If only low-entropy keys are available, then key establishment > mechanisms such as Password Authenticated Key Exchange (PAKE) that > mitigate the risk of offline dictionary attacks SHOULD be employed". > I have some questions about the meaning of this sentence. If it's > about potential future additions to TLS ciphersuites, then it should > be more clear that this doesn't currently exist and will in the > future. If it's about designing an ad-hoc key distribution mechanism > to be run one time ahead of PSK TLS, then I think we should say so > more clearly and provide guidance on how to do this and think through > the implications. > > Section 7.1.1. While it's a good idea to compare byte by byte, humans > entering PSK identifiers may run into trouble due to all the ways > visually identical strings may not actually be identical. It might be > worth calling this out as a consideration. > > Sincerely, > Watson Ladd > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
