Last Call Review of draft-mcgrew-tls-aes-ccm-ecc-07
review-mcgrew-tls-aes-ccm-ecc-07-secdir-lc-eastlake-2013-10-31-00

My apologies. I don't know that a review this late is useful but I
have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.

This document specifies the use of AES and ECC in CBC-MAC Mode (CCM)
for TLS 1.2. Further, it uses Ephemeral Elliptic Curve Diffie-Hellman
(ECDHE) to establish keys. The document is pretty short and to the
point. The Security Considerations section just mentions the benefit
of "perfect forward secrecy", the burden that the counter in AES-CCM
never be reused, and how that burden is met. I believe that, overall,
the document adequately covers needed security considerations when one
also takes into account material outside of the Security
Considerations section.

Question:

There are a number of SHOULDs in this draft with no indication of when
you might not do what is specified. For example "The client SHOULD
offer the elliptic_curves extension" If the specified crypto depends
on ECC, what happens if the client doesn't do that?

Trivia:

In standards track documents, I prefer to use "specifies" rather than
"describes", for example in the abstract and introduction.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3 at gmail.com