Early Review of draft-ietf-tokbind-tls13-00
SECDIR *early* review of draft-ietf-tokbind-tls13-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.These comments were written with the intent of improving security
requirements and considerations in IETF drafts.Comments not addressed in
last call may be included in AD reviews during the IESG review.Document
editors and WG chairs should treat these comments just like any other
last call comments.
This (very brief) document defines how to negotiate Token Binding for
TLS v1.3. Existing IETF documents (IDs) define this protocol and how to
negotiate it capability only for earlier versions of TLS.
The first question that comes to mind is why there is a need for a new
ID, instead of adding text to draft-ietf-tokbind-negotiation-10. I
realize that draft-ietf-tokbind-negotiation-10 is in last call, but the
text here is so small that it seems overkill to create a separate RFC.
I’m guessing that the argument is that this document references TLS 1.3,
which is not yet an RFC, and thus the author is trying to avoid creating
a down reference problem with draft-ietf-tokbind-negotiation-10. Right?
Section 2 notes that the format of the extension is the same as defined
in draft-ietf-tokbind-negotiation-10, so nothing new there. The section
cites two differences from the behavior in
draft-ietf-tokbind-negotiation-10, which are described in just two
sentences. Section 3 adds one paragraph to deal with 0-RTT, a TLS 1.3
feature not present in earlier versions.Section 4 is non-normative, but,
presumably useful. The security concerns are asserted to be the same as
for draft-ietf-tokbind-negotiation-10, plus a sentence discussing why
the 0-RTT exclusion avoids other potential security concerns.
So, if folks don’t want to delay publication of
draft-ietf-tokbind-negotiation-10, I guess this is OK as a separate
document, updating that RFC.