Brian: Thanks for the review,
> Document: draft-ietf-tls-8773bis > Title: TLS 1.3 Extension for Using Certificates with an External Pre-Shared > Key > Reviewer: Brian Weis > Review result: Ready > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security > area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > The summary of the review is Ready. > > This document documents a TLS 1.3 extension which augments the TLS key > schedule created from a (EC)DHE shared secret value with a pre-shared > key (PSK). It updates the method defined in RFC 8773, elevating the > status of that method to Standards Track, as well as adding additional > text due to changes in the more recent TLS 1.3 draft specification. > Other changes appear to be text added to better describe the motivation > for defining this method, e.g. updated information regarding > Cryptographically Relevant Quantum Computer (CRQC) attacks. As there are > no substantive changes to the method, I believe it’s generally ready for > publication. > > However, I do have a couple of suggestions. > > 1. As a first-time reader of the method I was very surprised that the > actual method of adding the External PSK was not revealed until the > Security Considerations section. I suspect this is due to the lengthy > rationale accompanying the specifics of how the PSK is added to > HKDF-Extract, but the method itself is relevant enough to be promoted to > its own section earlier in the document where it is more easily found > my implementors. The Introduction says: This document specifies a TLS 1.3 extension permitting certificate- based authentication and providing an external PSK to be input to the TLS 1.3 key schedule. This does tell people that are familiar with the use of the resumption PSK in the TLS 1.3 handshake protocol what is going on. The previous paragraphs describe resumption PSK and external PSK. > 2. It’s not clear why the “should not” and many of the “must” statements > in Security Considerations are not capitalized, denoting them as > requirements per Section 2. Making them requirements (here or elsewhere > in the document) would improve the security of the document. During AD Review, I was asked to change them to lower case. Each of them duplicates a MUST or SHOULD statement from earlier in the document. The discussion in the Security Considerations does add security-specific discussion. > I also noticed two typos: > > 1. Page 11, middle: s/that one TLS 1.3 session/than one TLS 1.3 session/ Fixed. > 2.The apostrophe character used in “Grover’s algorithm” does not seem to > be an ASCII character. Fixed. Russ _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
