On Oct 13, 2014 1:07 PM, "Yaron Sheffer" <[email protected]> wrote: > > Hi Stephen, > > Thanks for your review. Here are a few comments to your comments. > > > On 10/13/2014 07:27 PM, Stephen Farrell wrote: >> >> >> - s2, 2nd para: "a more systemic solution" is left hanging >> - do you mean TLS1.3? If so, maybe say so? > > > Actually this is a leftover from the unified attacks+BCP draft, and that's what is meant. > > >> >> - 2.6: should the RFC editor wait on the official >> allocation of the BEAST CVE number? I don't think that's >> happened already has it? > > > BEAST is fine, this is about BREACH. the CVE number is allocated but that's about it, and people are citing it. I am not familiar with the CVE allocation procedures, for all I know it may remain reserved-but-unofficial forever. I certainly don't want to hold the RFC waiting for it. > >> >> - 2.7, is Bleichenbacher really a certificate attack? I >> think its not, but is a pkcs#1 encryption attack. (It >> would apply just as well to OOB keys in TLS.) I'm not sure >> if Klima is or is not the same in that respect. Also the >> timing attacks in the 2nd para, don't seem to be >> certificate related are they? So perhaps only the last >> para is really certificate related? >> > > You're right I believe. Need to recheck and maybe rework the title. > >> >> - 2.10: isn't TRIPLE-HS published yet? >> > Yes. http://prosecco.gforge.inria.fr/bibtexbrowser.php?key=BhargavanDFPS14&bib=ourpubs.bib > > >> - 2.12: A reference would be good here if we have one, >> esp. for the "It is known" point. > > > [Private communication]... > > http://www.ietf.org/mail-archive/web/uta/current/msg00387.html > > >> >> - 2.13: Doesn't that paper also blame hard-to-use APIs as >> well as the IETF protocols and their complexity? Worth a >> mention? > > > Personally, I don't think it's worth a mention. As they say, it is not "actionable".
It absolutely is actionable. Don't use complex APIs, switch implementations, and conduct negative testing. > > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
