Folks,
At long last, I've completed my AD Evaluation of
draft-ietf-uta-tls-bcp-08. As far as I am concerned, it is ready for
IETF Last Call. Well done! I have a number of comments below, but they
are all editorial in nature, as far as I am concerned. Would the chairs
to review them, and there is anything in there that needs correction
before Last Call, I'd ask them to let me know in the next few days. If
the chairs would prefer to see these fixed before Last Call (just to
clean stuff up), I'm happy to wait for that as well.
I'll wait for a go-ahead from the chairs to do the Last Call.
pr
---
3.1.3:
Clients that "fall back" to lower versions of the protocol after the
server rejects higher versions of the protocol MUST NOT fall back to
SSLv3.
Is it worth saying "SSLv3 or earlier"?
3.5:
OLD
we adopt the recommended countermeasures from [triple-handshake]
NEW
the recommended countermeasures from [triple-handshake] are adopted:
4.1:
Second sentence, strike "as time progresses". Duplicative.
OLD
We note that this guideline does not apply to DTLS, which
specifically forbids the use of RC4.
NEW
Note that DTLS already specifically forbids the use of RC4.
4.3:
OLD
The use of curves of
less than 192-bits is NOT RECOMMENDED.
NEW
Curves of less than 192-bits SHOULD NOT be used.
4.4:
OLD
we recommend using (in priority order):
NEW
the following are RECOMMENDED (in priority order):
In the second to last paragraph, s/We note/Note
In the last paragraph, the SHOULD in there is kind of silly. "Ought to"
or "need to" are more appropriate.
5.1:
If deployers deviate from the recommendations given in this document,
they MUST verify that they do not need one of the foregoing security
services.
That's a very odd MUST. "Need to"?
The intended audience covers those services that are most commonly
used on the Internet.
That's not quite right. Either change "The intended audience" to "This
document", or change it to "The intended audience is
[implementers/operators/somebodies?] of services that...". An audience
doesn't cover services, AFAICT.
You also use "audience" incorrectly in the last paragraph of 5.1. I
think you mean "scenario".
5.2:
It seems like the reference in the second paragraph should be to RFC 7435.
7.3:
OLD
We thus advocate strict use of forward-secrecy-only ciphers.
NEW
This document therefore advocates the strict use of
forward-secrecy-only ciphers.
7.5:
First paragraph: s/we can recommend/can be recommended
8: s/We would like to thank/The [authors/editors] would like to thank
--
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
