Thanks for the quick review. On Wed, Aug 17, 2016 at 10:26 PM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Wed, Aug 17, 2016 at 02:49:52PM -0700, Eric Rescorla wrote: > > Folks, > > > > I've just submitted draft-ietf-tls-tls13-15. > > Doing brief review: > > - Section 4.2.2 talks EdDSA using "ECDSA cipher suites". TLS 1.3 does > not have those. However, this kind of information is very relevant > for TLS 1.2 backward compatiblity: you need to assign TLS 1.2 > cipher suites for EdDSA in order to use it in TLS 1.2. TLS 1.3 does > not care either way. > Thanks. Will try to fix. - I note that accepting PSK and selecting the auth mode seem to be > in separate messages, which seems quite annoying implementation- > wise.. Can you elaborate on this? The intend is that they both appear in ServerHello (in pre_shared_key and signature_algorithms respectively). - Can the server send arbitrary certificate in response to PSK or is > it somehow restricted? The document does not seem to talk about it. > The document right now is supposed to be PSK XOR server signs, so the answer is supposed to be "no". If/when we allow both together, then we'll have to address this, which is a bit tricky. > > - The HelloRetryRequest is problematic in pure-PSK case[1]. > > > [1] One way to do it would be to move the group to extension, which > would only be sent if new group was needed. Then one could always > require at least one extension (the field could also be renamed). > Also, one could make it so that HRR extensions don't have to > correspond to CH extensions (and unsupported one is a fatal error). > Agreed on both counts. PR wanted. https://github.com/tlswg/tls13-spec/issues/560 -Ekr > > > > -Ilari >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
