Deb Cooley has entered the following ballot position for draft-ietf-uta-require-tls13-10: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-uta-require-tls13/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Section 6, para 3, sentence 1: All Finite Field DH? Or all except those using ephemeral FFDH specified in RFC7919? If FFDHE with one of RFC7919 groups are used, what is the vulnerability? I think you could add the word 'most' in front of 'finite field DH'. And you could reference RFC 7919, but I won't require it. [I will note that TLS1.3 allows FFDHE] ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Hillarie Orman for their secdir review. Title: While I'm not generally a fan of suggesting title changes, it may be warranted here. Perhaps, 'New Protocols Utilizing TLS Must Require TLS 1.3'. Abstract: I think you are burying the lead here. Perhaps: 'TLS 1.3 use is widespread, it has had comprehensive security proofs, and it improves both security and privacy over TLS 1.2. Therefore, new protocols that use TLS must require TLS 1.3. As DTLS 1.3 is not widely available or deployed, this prescription does not pertain to DTLS (in any DTLS version); it pertains to TLS only. This document updates RFC9325, discusses post-quantum cryptography and the security and privacy improvements over TLS 1.2 as a rationale for that update.' Introduction: For similar reasons (burying the lead), I would put the third para first, and then swap the first and second paragraph (some small changes will be needed - remove 'also'). Section 6, para 2: 'extension points'? maybe just 'extensions'? [or add 'points' to all the places 'extension' is used in the para. _______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
