Hi Stephen,
Thanks for your review. Here are a few comments to your comments.
On 10/13/2014 07:27 PM, Stephen Farrell wrote:
- s2, 2nd para: "a more systemic solution" is left hanging
- do you mean TLS1.3? If so, maybe say so?
Actually this is a leftover from the unified attacks+BCP draft, and
that's what is meant.
- 2.6: should the RFC editor wait on the official
allocation of the BEAST CVE number? I don't think that's
happened already has it?
BEAST is fine, this is about BREACH. the CVE number is allocated but
that's about it, and people are citing it. I am not familiar with the
CVE allocation procedures, for all I know it may remain
reserved-but-unofficial forever. I certainly don't want to hold the RFC
waiting for it.
- 2.7, is Bleichenbacher really a certificate attack? I
think its not, but is a pkcs#1 encryption attack. (It
would apply just as well to OOB keys in TLS.) I'm not sure
if Klima is or is not the same in that respect. Also the
timing attacks in the 2nd para, don't seem to be
certificate related are they? So perhaps only the last
para is really certificate related?
You're right I believe. Need to recheck and maybe rework the title.
- 2.10: isn't TRIPLE-HS published yet?
Yes.
http://prosecco.gforge.inria.fr/bibtexbrowser.php?key=BhargavanDFPS14&bib=ourpubs.bib
- 2.12: A reference would be good here if we have one,
esp. for the "It is known" point.
[Private communication]...
http://www.ietf.org/mail-archive/web/uta/current/msg00387.html
- 2.13: Doesn't that paper also blame hard-to-use APIs as
well as the IETF protocols and their complexity? Worth a
mention?
Personally, I don't think it's worth a mention. As they say, it is not
"actionable".
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
