Dear WG, I've taken a look at the draft and I think while its discussion of the properties and limitations of the external PSKs are good, I think the recommendations in section 7 could use some minor editorial work.
In particular "SHOULD be combined with a DH exchange for forward secrecy." I would like to see rephrased to make clear that this is about the TLS PSK Key Exchange Mode. It wasn't immediately clear to me on first read, especially given the next sentence is (maybe) about key establishment outside of TLS. "If only low-entropy keys are available, then key establishment mechanisms such as Password Authenticated Key Exchange (PAKE) that mitigate the risk of offline dictionary attacks SHOULD be employed". I have some questions about the meaning of this sentence. If it's about potential future additions to TLS ciphersuites, then it should be more clear that this doesn't currently exist and will in the future. If it's about designing an ad-hoc key distribution mechanism to be run one time ahead of PSK TLS, then I think we should say so more clearly and provide guidance on how to do this and think through the implications. Section 7.1.1. While it's a good idea to compare byte by byte, humans entering PSK identifiers may run into trouble due to all the ways visually identical strings may not actually be identical. It might be worth calling this out as a consideration. Sincerely, Watson Ladd _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
