Hi! We closed the loop on this one, and Roman wanted to make sure this got back.
> On Apr 4, 2021, at 06:57, Francesca Palombini via Datatracker > <[email protected]> wrote: > > Francesca Palombini has entered the following ballot position for > draft-ietf-tls-exported-authenticator-14: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tls-exported-authenticator/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for the work on this document, and thank you to the doc shepherd for > the in-depth background. Please find some comments below. > > Francesca > > 2. ----- > > used to send the authenticator request SHOULD use a secure with > equivalent security to TLS, such as QUIC [QUIC-TLS], as its as its > > FP: What are the implications of not using such a secure transport protocol? > Why is it just RECOMMENDED and not MANDATED? nits: missing word "use a secure > with" ; remove one of the duplicated "as its". (Note: this text appears again > with the same typos for the authenticator in section 5) We roped Jonathan in and he’s what he had to say: > Begin forwarded message: > > From: Jonathan Hoyland <[email protected]> > Subject: Re: Datatracker State Update Notice: > <draft-ietf-tls-exported-authenticator-15.txt> > Date: May 6, 2022 at 12:16:34 EDT > To: Christopher Wood <[email protected]> > Cc: Paul Wouters <[email protected]>, Sean Turner <[email protected]>, Roman > Danyliw <[email protected]>, Christopher Wood <[email protected]>, > [email protected], TLS Chairs > <[email protected]> > > The EA is equally secure if sent over an entirely unsecured medium. > The only reason to have a SHOULD there is because if you send the EA over a > plaintext channel you reveal the Server certificate. > > In most cases it will make sense to send the EA over the channel that's > already there, but from a security perspective there's no reason to require > it. > > Regards, > > Jonathan Cheers, spt _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
