Early Review of draft-ietf-tokbind-tls13-00
review-ietf-tokbind-tls13-00-secdir-early-kent-2018-03-29-00

Request Review of draft-ietf-tokbind-tls13
Requested rev. no specific revision (document currently at 03)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2018-04-15
Requested 2018-03-21
Requested by Leif Johansson
Authors Nick Harper
Draft last updated 2018-03-29
Completed reviews Secdir Early review of -00 by Stephen Kent (diff)
Comments
The WG would like early review from somebody in the TLS1.3 community.
Assignment Reviewer Stephen Kent
State Completed
Review review-ietf-tokbind-tls13-00-secdir-early-kent-2018-03-29
Reviewed rev. 00 (document currently at 03)
Review result Ready
Review completed: 2018-03-29

Review
review-ietf-tokbind-tls13-00-secdir-early-kent-2018-03-29

SECDIR *early* review of draft-ietf-tokbind-tls13-00

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.These comments were written with the intent of improving security 
requirements and considerations in IETF drafts.Comments not addressed in 
last call may be included in AD reviews during the IESG review.Document 
editors and WG chairs should treat these comments just like any other 
last call comments.

This (very brief) document defines how to negotiate Token Binding for 
TLS v1.3. Existing IETF documents (IDs) define this protocol and how to 
negotiate it capability only for earlier versions of TLS.

The first question that comes to mind is why there is a need for a new 
ID, instead of adding text to draft-ietf-tokbind-negotiation-10. I 
realize that draft-ietf-tokbind-negotiation-10 is in last call, but the 
text here is so small that it seems overkill to create a separate RFC. 
I’m guessing that the argument is that this document references TLS 1.3, 
which is not yet an RFC, and thus the author is trying to avoid creating 
a down reference problem with draft-ietf-tokbind-negotiation-10. Right?

Section 2 notes that the format of the extension is the same as defined 
in draft-ietf-tokbind-negotiation-10, so nothing new there. The section 
cites two differences from the behavior in 
draft-ietf-tokbind-negotiation-10, which are described in just two 
sentences. Section 3 adds one paragraph to deal with 0-RTT, a TLS 1.3 
feature not present in earlier versions.Section 4 is non-normative, but, 
presumably useful. The security concerns are asserted to be the same as 
for draft-ietf-tokbind-negotiation-10, plus a sentence discussing why 
the 0-RTT exclusion avoids other potential security concerns.

So, if folks don’t want to delay publication of 
draft-ietf-tokbind-negotiation-10, I guess this is OK as a separate 
document, updating that RFC.