[TLS] AD review of draft-ietf-tls-external-psk-importer-05

Roman Danyliw <rdd@cert.org> Thu, 01 October 2020 20:22 UTC

Return-Path: <rdd@cert.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 848293A0855 for <tls@ietfa.amsl.com>; Thu, 1 Oct 2020 13:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id N4nFfIoPrLZO for <tls@ietfa.amsl.com>; Thu, 1 Oct 2020 13:22:20 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E76353A084A for <tls@ietf.org>; Thu, 1 Oct 2020 13:22:19 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu []) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 091KMIhA012840 for <tls@ietf.org>; Thu, 1 Oct 2020 16:22:18 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 091KMIhA012840
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1601583738; bh=r8nvVUcFxwBHmO9hBtyaDX15YDLC/tgxuvvfVPSSn5o=; h=From:To:Subject:Date:From; b=e9Wh2WD+BHTL8EzI1vWoB0AtPBsW9qjD6MLhFEr5LiK5Dy6ly26Uzlb0RGey2UOQ8 ui/4C7s0u68enbkig7DjVIjqO3QjuSz+DFKOrslhOuZcGqJdeOFQx0w9fk7gND/5G+ mN+wC29rY/B0dJOCAvMSXObXMh/58gmeQdsVNBEc=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu []) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 091KMHnO018509 for <tls@ietf.org>; Thu, 1 Oct 2020 16:22:17 -0400
Received: from MORRIS.ad.sei.cmu.edu ( by MORRIS.ad.sei.cmu.edu ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Thu, 1 Oct 2020 16:22:17 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Thu, 1 Oct 2020 16:22:17 -0400
From: Roman Danyliw <rdd@cert.org>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: AD review of draft-ietf-tls-external-psk-importer-05
Thread-Index: AdaYLjPfkzWhVdSqTsKm/ZDAsEdrOw==
Date: Thu, 1 Oct 2020 20:22:16 +0000
Message-ID: <f7c983a755954f588e9b321365b0d5c8@cert.org>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lxbyDlFdJyDdfb8Ld7CvJzicMJM>
Subject: [TLS] AD review of draft-ietf-tls-external-psk-importer-05
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2020 20:22:23 -0000


I've assumed the role of responsible AD on this document.  As such, I performed an AD review of draft-ietf-tls-external-psk-importer-05.  All in all, it is in good shape.  My feedback is primarily around clarifying the content of the new KDF registry and a few of editorial suggestions.  Given that, I'm going to advance this document to IETF LC and the feedback below can be discussed/addressed concurrently.

** Section 1.  Editorial.  Expand acronym on first use:
-- s/TLS 1.2 PRF/TLS 1.2 Pseudorandom Function (PRF)/
-- s/KDF/Key Derivation Function (KDF)/

** Section 1. Editorial.  Since the text says "... this document specifies a PSK Importer interface ... for use in D(TLS 1.3)" perhaps the this scoping should also be upfront in the first sentence too:
s/TLS 1.3 [RFC8446] supports/(D)TLS 1.3 [RFC8446][ID-DTLS]/

** Section 4.1.  Editorial.  Per "The list of 'target_kdf' ...", other parts of this text refer to elements of struct ImportIdentity with the notation "ImportedIdentity.*".  Consider s/The list of "target_kdf" values/The list of ImportedIdentity.target_kdf values/

** Section 4.1.
If the EPSK is a key derived from some other protocol or
   sequence of protocols, ImportedIdentity.context MUST include a
   channel binding for the deriving protocols [RFC5056].

To the end of this normative guidance, I'd recommend adding something to the effect of: "The details of this binding will be protocol specific and out of scope in this document".

** Section 4.1.  Per "If no hash function is specified, SHA-256 MUST be used"

-- Please provide a reference for SHA-256 (per "... If no hash function is specified, SHA-256 MUST be used").   

-- It is likely worth saying that this is the equivalent of HKDF_SHA256 (i.e., 0x0001)

** Section 4.1.  Per "EPSKs may be imported before the started of the connection ..." and "EPSKs may also be imported for early data use ..." should be these be a normative MAYs?

** Section 4.1.  Per "Minimally, that means ALPN, QUIC ... must be provisioned alongside these EPSK"
-- Please expand ALPN

-- should this be a normative MUST?

** Section 9.  Per the columns in the registry:
-- Is there a reason why there isn't a Reference column in the registry to capture which specification describes the particular KDF?  I think it needs one to eliminate guesswork from the label in "KDF Description" to an algorithm.  

-- Was a Recommended column (and the associated processed for populating it like a few of the other TLS registries) discussed/considered?

** Section 9.  While it is implied by the label, the text doesn't explicitly say what HKDF_SHA256 and _SHA384 are (per previous comment about needing a reference).