Hi Eric, Thank you for reviewing the document. Given your second comment, I suspect you are reading the version 04 while the current version is version 05 [1]. I believe your comments have been addressed in the version 05.However let me know if you have other concerns.
Regarding TLS1.3. we were asked to position the new code points toward TLS1.3, but I guess that was at the time the version was not indicated in the title, so in principle we could remove these references.I believe the text in version 05 address your comment, but here are the current version still cites TLS 1.3 in the following sections: - introduction: """AEAD algorithms that combine encryption and integrity protection are strongly recommended for (D)TLS [RFC7525 <https://tools.ietf.org/html/rfc7525>] and non-AEAD algorithms are forbidden to use in TLS 1.3 [I-D.ietf-tls-tls13 <https://tools.ietf.org/html/draft-ietf-tls-ecdhe-psk-aead-05#ref-I-D.ietf-tls-tls13>]. """. Would you prefer to remove "and non-AEAD algorithms are forbidden to use in TLS 1.3 [I-D.ietf-tls-tls13 <https://tools.ietf.org/html/draft-ietf-tls-ecdhe-psk-aead-05#ref-I-D.ietf-tls-tls13> ]" or it is fine to leave it as it is ? - section 3: """ Cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are used to support equivalent functionality in TLS 1.3 [ I-D.ietf-tls-tls13 <https://tools.ietf.org/html/draft-ietf-tls-ecdhe-psk-aead-05#ref-I-D.ietf-tls-tls13>]. """. Would you prefer to have all mentioned text being removed or is it fine to leave it as it is ? Regarding the reference to the PRF of TLS 1.1, I think it concerns the text below which has been removed in the version 05. """ [...] The PRF results from mixing the two pseudorandom streams with distinct hash functions (MD5 and SHA-1) by exclusive-ORing them together. In the case of ECDHE_PSK authentication, the PSK and pre-master are treated by distinct hash function with distinct properties. This may introduce vulnerabilities over the expected security provided by the constructed pre-master. As such TLS 1.0 and TLS 1.1 should not be used with ECDHE_PSK. The cipher suites defined in this document make use of the authenticated encryption with additional data (AEAD) defined in TLS 1.2 [RFC5246 <https://tools.ietf.org/html/rfc5246>] and DTLS 1.2 [RFC6347 <https://tools.ietf.org/html/rfc6347>]. Earlier versions of TLS do not have support for AEAD and consequently, the cipher suites defined in this document MUST NOT be negotiated in TLS versions prior to 1.2. In addition, it is worth noting that TLS 1.0 [RFC2246 <https://tools.ietf.org/html/rfc2246>] and TL1.2 [RFC4346 <https://tools.ietf.org/html/rfc4346>] splits the pre-master in two parts. The PRF results from mixing the two pseudorandom streams with distinct hash functions (MD5 and SHA-1) by exclusive-ORing them together. In the case of ECDHE_PSK authentication, the PSK and pre-master are treated by distinct hash function with distinct properties. This may introduce vulnerabilities over the expected security provided by the constructed pre-master. As such TLS 1.0 and TLS 1.1 should not be used with ECDHE_PSK. """ Yours, Daniel [1] https://tools.ietf.org/html/draft-ietf-tls-ecdhe-psk-aead-05 On Thu, Aug 10, 2017 at 10:39 AM, Eric Rescorla <e...@rtfm.com> wrote: > Eric Rescorla has entered the following ballot position for > draft-ietf-tls-ecdhe-psk-aead-05: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > The citations to TLS 1.3 still seem pretty muddled. I think you > should just stop referencing and discussing 1.3. > > S 2. > I'm not sure that the discussion of the PRF is helpful here in > mandating the non-use of these cipher suites with TLS 1.1 and > below. > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
