Much belated approval. One minor issue and some nits. Section 4 talks about failure, but doesn't really put enough work in. If this is an error that needs to be retried, then a new error code is necessary. Decapsulation failure will occur at the server, which will have to indicate that failure to the client in order for the retry to occur. That error will not be authenticated by the client, but I can't see any serious problem with trying again. After all, servers are more often the ones who would want to avoid the extra work.
Without this, a server is forced to send a generic error code, which are generally terminal. This situation is more or less acceptable given the negligible probability of failure with ML-KEM, but this document is generic and so cannot assume that failure won't occur. Some nits: Section 2 says: " Section 3.3 has a very long line that should be trimmed/wrapped: concatenated_shared_secret = MyECDH.shared_secret || MyPQKEM.shared_secret Section 4 and the note on FIPS compliance could be broken into section headings rather than being presented as a list. That would make the text easier to reference. These all look to be about limitations or caveats on the design. Can references to Kyber in Section 4 be replaced by mention of either ML-KEM or MyPQKEM, the latter being preferred? The text in Section 6 about fixed-length inputs and secrets should be a subsection (again, for ease of citation). On Tue, Aug 13, 2024, at 05:50, Deirdre Connolly wrote: > This email starts the working group last call for the Internet-Draft > "Hybrid key exchange in TLS 1.3", located here: > > https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ > > The WG last call will end 26th August 2024 @ 2359 UTC. > > Please review the draft and submit issues and pull requests via the > GitHub repository that can be found at: > > https://github.com/dstebila/draft-ietf-tls-hybrid-design > > You can also send comments and feedback to tls@ietf.org. > > Cheers and thank you, > Deirdre > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
