Re: [TLS] WGLC for rsa-aes-gcm and ecc-new-mac

To: <Pasi.Eronen at nokia.com>
Subject: Re: [TLS] WGLC for rsa-aes-gcm and ecc-new-mac
From: Simon Josefsson <simon at josefsson.org>
Date: Tue, 12 Feb 2008 14:29:03 +0100
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <B356D8F434D20B40A8CEDAEC305A1F24053F3C40 at esebe105.NOE.Nokia.com> (Pasi Eronen's message of "Tue, 12 Feb 2008 14:42:03 +0200")
List-archive: <http://www.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <B356D8F434D20B40A8CEDAEC305A1F24053F3C40 at esebe105.NOE.Nokia.com>
Sender: tls-bounces at ietf.org
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

<Pasi.Eronen at nokia.com> writes:

> <wg chair hat on>
>
> This message starts a WG last call on the following two drafts:
>
>   draft-ietf-tls-rsa-aes-gcm-02
>   draft-ietf-tls-ecc-new-mac-04
>
> prior to sending them to the IESG for publication as Proposed 
> Standard (rsa-aes-gcm) and Informational (ecc-new-mac).
>
> Please send your comments to the WG mailing list by Wednesday 
> March 5th. Comments along the lines "I've read it and it looks 
> OK" are helpful and encouraged.

With the following fixes, I think the documents are OK.  I haven't
implemented them though, so there may be still be other issues.

For draft-ietf-tls-ecc-new-mac-04:

* Section 1 says "This document specifies TLS ECC cipher suites which
  replace SHA-256 and SHA-384 rather than SHA-1.".  I can't parse this.
  s/replace/uses/?

* Section 2.1 and 2.2, where is P_SHA-256 defined etc?  RFC 4346bis
  mentions P_SHA256 but not P_SHA-256.

* Section 2.2, what should be done if AES-GCM decrypt fails?  Unlike
  most others ciphers, AES-GCM can fail to decrypt data.  Either a
  discussion, or a pointer to discussion elsewhere, to specify the
  behaviour in TLS would be useful.  There may be side-channel
  considerations here, so it may be relevant to add that decrypt errors
  should not be leaked.

For draft-ietf-tls-rsa-aes-gcm-02:

* Section 1, typo "ciphersutes".

* Section 3, same as for the other document, what should be done if
  AES-GCM decrypt fails?

/Simon
_______________________________________________
TLS mailing list
TLS at ietf.org
http://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] WGLC for rsa-aes-gcm and ecc-new-mac
  - From: Pasi.Eronen

Prev by Date: [TLS] I-D Action:draft-ietf-tls-ecc-new-mac-04.txt
Next by Date: Re: [TLS] WGLC for rsa-aes-gcm and ecc-new-mac
Previous by thread: [TLS] WGLC for rsa-aes-gcm and ecc-new-mac
Next by thread: Re: [TLS] WGLC for rsa-aes-gcm and ecc-new-mac
Index(es):
- Date
- Thread

Re: [TLS] WGLC for rsa-aes-gcm and ecc-new-mac

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.