Éric Vyncke has entered the following ballot position for
draft-ietf-opsawg-tacacs-tls13-23: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to 
https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------


# Éric Vyncke, INT AD, comments for draft-ietf-opsawg-tacacs-tls13-23
CC @evyncke

Thank you for the work put into this document.

Please find below some non-blocking COMMENT points/nits (replies would be
appreciated even if only for my own education).

Special thanks to Joe Clarke for the shepherd's detailed write-up including the
WG consensus *and* the justification of the intended status especially the
relationship to the informational RFC 8907.

I hope that this review helps to improve the document,

Regards,

-éric

## COMMENTS (non-blocking)

### Header

The header part is missing the draft name (not critical at this stage).

### QUIC

At least, some justifications why TLS was preferred to QUIC or HTTPS would be
welcome.

### Section 3.1

I was unaware that the TLS handshake can be done not immediately after the TCP
handshake as hinted by `Therefore, when a TCP connection is established for the
service, a TLS handshake begins immediately.` or should this sentence be
removed ?

s/separate TCP/IP port number /separate TCP port/

### Section 3.2

s/in which case the ticket might be invalidated/in which case the *session
resumption* ticket might be invalidated/

I am not a security expert, but s/might/SHOULD/ seems more appropriate with an
explanation *when* it can be kept.

### Section 3.4.1

When can the "SHOULD" by bypassed in `TLS Cached Information Extension
[RFC7924] SHOULD be implemented.` ?

### Section 7

Unsure how to read `IANA (has allocated) is requested ` as the IANA has not yet
allocated a port number (you may want to suggest a value).

### Operational considerations

Should the impact of the use of mutual TLS authentication be described ?
Notably the provisioning of certs to all peers.



_______________________________________________
OPSAWG mailing list -- opsawg@ietf.org
To unsubscribe send an email to opsawg-le...@ietf.org

Reply via email to