> == COMMENTS ==
>
> -- Section 4.1 --
> A wild guess (as I do not know the details of TLS 1.3), but if a group member
> is compromised and no ephemeral keys were used, then isn't the attacker able
> to
> read even the past/recorded traffic ?
The document saysL
3. If PSK is not combined with fresh ephemeral key exchange, then
compromise of any group member allows the attacker to passively
read (and actively modify) all traffic.
Yes. For clarity, we can add "..., including past traffic" to the end to make
it clear the scope of "all traffic".
> -- Section 5.1 --
> Suggest to expand "PoP".
Okay; will change it to "point-of-presence (PoP)".
> Also wonder about the German eID use case... While the BSI specification
> allows
> for using PSK, it does not appear as the recommended mode by BSI. I.e., does
> this reference help the case for this I-D ? Suggest to remove it.
Since it is allowed, it could be used even if it is not the recommended
approach.
> I also wonder why quantum resistance is not at the top ;-)
There was no attempt to prioritize the examples in any particular order.
> -- Section 5.2 --
> About the IoT "UI", I would assume that some USB ports could also be used. Or
> are USB/bluetooth/... considered as UI ?
We did not consider a USB port to be an user interface. Even if it were,I
think that would fall into TOFU, whihc is already discussed.
> -- Section 5.3 --
> "each pair of nodes has a unique key pair" is puzzling as PSK usually consist
> of a unique key and not a key pair. What am I missing ?
Your point is discussed in Section 4, which says:
PSK authentication security implicitly assumes one fundamental
property: each PSK is known to exactly one client and one server, and
that these never switch roles. If this assumption is violated, then
the security properties of TLS are severely weakened as discussed
below.
In Section 5.3, we try to reinforce this point, and admit that pairwise keys
are not always possible.
> == NITS ==
> Section 5.2 "among several node is" (plural ?)
> Section 8 "extend beynond proper identification"
Fixed.
Russ
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
