Last Call Review of draft-ietf-tls-chacha20-poly1305-04
review-ietf-tls-chacha20-poly1305-04-secdir-lc-harkins-2016-04-07-00

Request Review of draft-ietf-tls-chacha20-poly1305
Requested rev. no specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-04-05
Requested 2016-03-23
Draft last updated 2016-04-07
Completed reviews Genart Last Call review of -04 by Roni Even
Secdir Last Call review of -04 by Dan Harkins
Opsdir Last Call review of -04 by Stefan Winter
Assignment Reviewer Dan Harkins
State Completed
Review review-ietf-tls-chacha20-poly1305-04-secdir-lc-harkins-2016-04-07
Reviewed rev. 04
Review result Ready
Review completed: 2016-04-07

Review
review-ietf-tls-chacha20-poly1305-04-secdir-lc-harkins-2016-04-07

  Greetings,

  I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

  The draft defines how to use the chacha20+poly1305 AEAD mode
in TLS. chacha is a cipher mode "designed by D.J. Bernstein" and
poly1305 is an authenticator "designed by D.J. Bernstein" (as the
draft sees necessary to mention) and the two have been combined
into an AEAD mode as defined in RFC 7539. This draft just says
to use the method of AEAD incorporation that the TLS specification
(RFC 5246) defines to put this AEAD mode into (D)TLS. It asks for
7 new TLS cipher suites.

  It's very concise and I consider it "Ready". That said, I'd add
a personal nit (which doesn't rise to the level of "Ready with nits")
that it's probably not necessary to have both a TLS_PSK_WITH and a
PSK_ECDHE_PSK_WITH cipher suite and would prefer doing away with
the former.

  regards,

  Dan.