Skip to main content

Telechat Review of draft-ietf-kitten-aes-cts-hmac-sha2-10

Request Review of draft-ietf-kitten-aes-cts-hmac-sha2
Requested revision No specific revision (document currently at 11)
Type Telechat Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2016-08-16
Requested 2016-08-10
Authors Michael J. Jenkins , Michael Peck , Kelley W. Burgin
Draft last updated 2016-10-28
Completed reviews Genart Last Call review of -10 by Vijay K. Gurbani (diff)
Genart Telechat review of -10 by Vijay K. Gurbani (diff)
Secdir Last Call review of -10 by Watson Ladd (diff)
Opsdir Last Call review of -10 by Scott O. Bradner (diff)
Assignment Reviewer Vijay K. Gurbani
State Completed
Review review-ietf-kitten-aes-cts-hmac-sha2-10-genart-telechat-gurbani-2016-10-28
Reviewed revision 10 (document currently at 11)
Result Ready with Issues
Completed 2016-10-28
I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-kitten-aes-cts-hmac-sha2-10
Reviewer: Vijay K. Gurbani
Review Date: Jul-29-2016
IETF LC End Date: Jul-20-2016
IESG Telechat date: Unknown

This document is ready as an Informational.

Major: 0
Minor: 2
Nits: 1

- S3, top of page 4, while defining "context": What is the format of this
optional string: is it comma separated?  Or does it not matter because the
byte-string in context is supposed to be an opaque label?  I ask because the

byte-string can contain multiple values (identities of parties, nonce, 


consequently, how does a receiver know where one value ended and another one

I realize that when "context" is used for key derivation in the KDF, 


elements of the "context" does not matter; but since the text makes the 


that "context" may include "identities of parties who are deriving 

and/or using

the derived key material...", it seems appropriate that the recipient 

know what

separates the ID from the nonce.

- S3, middle of page 4: "When the encryption type is 


k must be no  greater than 256." 256 what?  Bits (I believe).  Similarly for
384.  Better to be complete.


- S1, second paragraph: "...but do not use the simplified profile."  Any 


into why simplified profile is not used may be helpful to the reader for the

sake of completeness.  (Of course, if the reasons that the simplified 

profile is

not being used are blatantly obvious to practicioners in this field, 

then don't

worry about this comment.  But if not, it may help.)


- vijay
Vijay K. Gurbani, Bell Laboratories, Nokia Networks
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60563 (USA)
Email: vkg@{,} / vijay.gurbani at

  | Calendar: