[TLS] Francesca Palombini's No Objection on draft-ietf-tls-exported-authenticator-14: (with COMMENT)

Francesca Palombini via Datatracker <noreply@ietf.org> Sun, 04 April 2021 10:57 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: tls@ietf.org
Delivered-To: tls@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E66583A21F6; Sun, 4 Apr 2021 03:57:12 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Francesca Palombini via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-tls-exported-authenticator@ietf.org, tls-chairs@ietf.org, tls@ietf.org, Sean Turner <sean@sn3rd.com>, Christopher Wood <christopherwood07@gmail.com>, sean@sn3rd.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Francesca Palombini <francesca.palombini@ericsson.com>
Message-ID: <161753383291.16671.11431634616201810816@ietfa.amsl.com>
Date: Sun, 04 Apr 2021 03:57:12 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-_sieQDtMzDRyXkEYL6bDqbD6mI>
Subject: [TLS] Francesca Palombini's No Objection on draft-ietf-tls-exported-authenticator-14: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Apr 2021 10:57:13 -0000

Francesca Palombini has entered the following ballot position for
draft-ietf-tls-exported-authenticator-14: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tls-exported-authenticator/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you for the work on this document, and thank you to the doc shepherd for
the in-depth background. Please find some comments below.

Francesca

1. -----

   TLS (or DTLS) version 1.2 [RFC5246] [RFC6347]. or later are REQUIRED
   to implement the mechanisms described in this document.

FP: Does this mechanism applies to DTLS as well? The sentence above, the
normative reference to DTLS 1.2, and the IANA section 8.2 would imply so.
However, this is the only time DTLS is mentioned in the body of the document,
excluding IANA considerations. I would like it to be made explicit that this
mechanism can be used for DTLS (if that's the case) both in the abstract and in
the introduction, add any useful considerations about using this mechanism with
DTLS vs TLS, and possibly add a sentence in the introduction stating that DTLS
1.X uses what specified for TLS 1.X. Two examples of why that would be useful
are the following sentences:

   using an exporter as described in Section 4 of [RFC5705] (for TLS
   1.2) or Section 7.5 of [TLS13] (for TLS 1.3).  For TLS 1.3, the

   "signature_algorithms" and "signature_algorithms_cert" extension, as
   described in Section 4.2.3 of [TLS13] for TLS 1.3 or the
   "signature_algorithms" extension from Sections 7.4.2 and 7.4.6 of
   [RFC5246] for TLS 1.2.

which makes it clear what applies for TLS but not for DTLS.

2. -----

   used to send the authenticator request SHOULD use a secure with
   equivalent security to TLS, such as QUIC [QUIC-TLS], as its as its

FP: What are the implications of not using such a secure transport protocol?
Why is it just RECOMMENDED and not MANDATED? nits: missing word "use a secure
with" ; remove one of the duplicated "as its". (Note: this text appears again
with the same typos for the authenticator in section 5)

3. -----

      extensions (OCSP, SCT, etc.)

FP: Please consider adding informative references.