I have three main concerns on the draft: 1. Precisely which keys are compromised and how? I believe the "how" part is necessary to check that the solution actually solves the problem. (e.g., application_traffic_secret being compromised because of compromise of g^xy is different from application_traffic_secret compromised without the compromise of g^xy) 2. Having security considerations with only "This entire document is about security." is unacceptable. 3. Terminology in the draft is quite imprecise. Many terms have been invented, such as "SEND keys" but never defined clearly. From terminology perspective, please stay as close to 8446bis as possible, and properly define any new terminology in the terminology section. I also don't like "initiator" because by default I always think of that as Client in TLS context, but the draft uses it for server also.
More detailed comments and some concrete suggestions are in the issue [0]. -Usama [0] https://github.com/tlswg/tls-key-update/issues/59
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
