rdroms / draft-green-tls-static-dh-in-tls13

Work area for Internet Draft draft-green-tls-static-dh-in-tls13
0 stars 0 forks source link

Document review from Paul Turner #7

Closed rdroms closed 7 years ago

rdroms commented 7 years ago
  1. Abstract, Sentence 2: I would recommend changing “static Diffie-Hellman secret” to “static Diffie-Hellman private key”. RFC 2631 only uses “secret” to describe the shared secret and uses “private key” to refer to the private key that would be the static key in this case.
  2. Section 1, Paragraph 2, Sentence 2: Change “to meet regulatory auditing requirements that must passively monitor” to “to meet regulatory auditing requirements to passively monitor”.
  3. Section 1, Paragraph 2, Sentence 2: Change “TLS connections made to endpoints under the enterprise's control” to “TLS connections made between endpoints under the enterprise's control”. This change is because this only applies to internal systems. As currently stated, it could include extranet connections.
  4. Section 1, Paragraph 4, Sentence 1: Change “static Diffie-Hellman secret” to “static Diffie-Hellman private key”
  5. Section 3, Second group of bullets, Bullet 4: Change “If we use the average time to breach detection as our guide for packet and key retention, the number of days increases.” to “Using the average time to breach detection as the guide for packet and key retention, the number of days increases.”
  6. Section 4: Change “Summary of the existing Diffie-Hellman handshake” to “Summary of the Existing Diffie-Hellman Handshake”. Title case.
  7. Section 4, Item 3: Change “own ephemeral secret” to “own ephemeral private key”.
  8. Section 4, Item 5: Change “Data encryption is performed using these keys” to “Data encryption is performed using the shared secret”. We don’t refer to a key in the previous item. If we were to expand the previous item to include “session key”, we could leave this item as currently written.
  9. Section 5, Paragraph 1: Change “the following ways.” to “the following ways:”
  10. Section 5, Paragraph 2: Change “ECDHE private/public” to “(EC)DHE private/public”
  11. Section 5, Bullet 2: Change “to many endpoint servers” to “to the appropriate endpoint servers”. This seems to could be read to mean that we intend one key to be distributed to many servers.
  12. Section 6, Paragraph 1: Change “The asymmetric key package” to “The Asymmetric Key Package”.
  13. Section 7, Paragraph 1, Sentence 3: Change “TLS decrypters” to “TLS decrypters (security appliances)”. Providing an association back to the first diagram. Alternatively, we could change “TLS decrypters” to “security appliances” in this section and the figure. I used “TLS decrypter” because that is sometimes the primary function of the system, which then passes plain text data to security appliances, performance monitors, etc.
  14. Figure 5: I noticed that you changed the direction of the arrows. If we’re going to take this approach, I recommend we be more literal and have an arrow from the consumers to the key managers labelled Request key pair and another arrow from the key manager to the consumers saying deliver key pair. My two cents.
  15. Section 7.1, Paragraph 1: Change “either a Simple or Full PKI Response.” to “the Asymmetric Key Package.”
  16. Section 7.1, Paragraph 2, Sentence 2: Change “AsymmetricKeyPackage” to ” Asymmetric Key Package”
  17. Section 7.2, Paragraph 4: Change “either a Simple or Full PKI Response.” to “the Asymmetric Key Package.”
  18. Section 7.2, Paragraph 5, Sentence 2: Change “AsymmetricKeyPackage” to ” Asymmetric Key Package”
  19. Section 10, Item 1, Sentence 1: Change “fully-ephemeral ECHDE to partially static Diffie-Hellman” to “fully-ephemeral (EC)DHE to partially static (EC)DH”.
  20. Section 10, Last Sentence: Change “Static secret keys should be rotated regularly.” to “Static (EC)DH key pairs should be rotated regularly.”
rdroms commented 7 years ago
  1. Abstract, Sentence 2: I would recommend changing “static Diffie-Hellman secret” to “static Diffie-Hellman private key”. RFC 2631 only uses “secret” to describe the shared secret and uses “private key” to refer to the private key that would be the static key in this case.

    Done.

  2. Section 1, Paragraph 2, Sentence 2: Change “to meet regulatory auditing requirements that must passively monitor” to “to meet regulatory auditing requirements to passively monitor”.

    Done.

  3. Section 1, Paragraph 2, Sentence 2: Change “TLS connections made to endpoints under the enterprise's control” to “TLS connections made between endpoints under the enterprise's control”. This change is because this only applies to internal systems. As currently stated, it could include extranet connections.

    Done.

  4. Section 1, Paragraph 4, Sentence 1: Change “static Diffie-Hellman secret” to “static Diffie-Hellman private key”

    Done.

  5. Section 3, Second group of bullets, Bullet 4: Change “If we use the average time to breach detection as our guide for packet and key retention, the number of days increases.” to “Using the average time to breach detection as the guide for packet and key retention, the number of days increases.”

    Done.

  6. Section 4: Change “Summary of the existing Diffie-Hellman handshake” to “Summary of the Existing Diffie-Hellman Handshake”. Title case.

    Done.

  7. Section 4, Item 3: Change “own ephemeral secret” to “own ephemeral private key”.

    Done.

  8. Section 4, Item 5: Change “Data encryption is performed using these keys” to “Data encryption is performed using the shared secret”. We don’t refer to a key in the previous item. If we were to expand the previous item to include “session key”, we could leave this item as currently written.

    Done; made first suggested change.

  9. Section 5, Paragraph 1: Change “the following ways.” to “the following ways:”

    Done; made some other minor edits in this area.

  10. Section 5, Paragraph 2: Change “ECDHE private/public” to “(EC)DHE private/public”

    Change not made; "ECDHE" is used throughout the rest of the document.

  11. Section 5, Bullet 2: Change “to many endpoint servers” to “to the appropriate endpoint servers”. This seems to could be read to mean that we intend one key to be distributed to many servers.

    Done.

  12. Section 6, Paragraph 1: Change “The asymmetric key package” to “The Asymmetric Key Package”.

    Done.

  13. Section 7, Paragraph 1, Sentence 3: Change “TLS decrypters” to “TLS decrypters (security appliances)”. Providing an association back to the first diagram. Alternatively, we could change “TLS decrypters” to “security appliances” in this section and the figure. I used “TLS decrypter” because that is sometimes the primary function of the system, which then passes plain text data to security appliances, performance monitors, etc.

    I left TLS decrypters unchanged in Section 7 and changed "Security Appliance" to "TLS Decrypter in figure 1.

  14. Figure 5: I noticed that you changed the direction of the arrows. If we’re going to take this approach, I recommend we be more literal and have an arrow from the consumers to the key managers labelled Request key pair and another arrow from the key manager to the consumers saying deliver key pair. My two cents.

    The arrows were wrong because of a cut-and-paste error. Fixed.

  15. Section 7.1, Paragraph 1: Change “either a Simple or Full PKI Response.” to “the Asymmetric Key Package.”

    Done.

  16. Section 7.1, Paragraph 2, Sentence 2: Change “AsymmetricKeyPackage” to ” Asymmetric Key Package”

    Done.

  17. Section 7.2, Paragraph 4: Change “either a Simple or Full PKI Response.” to “the Asymmetric Key Package.”

    Done.

  18. Section 7.2, Paragraph 5, Sentence 2: Change “AsymmetricKeyPackage” to ” Asymmetric Key Package”

    Done.

  19. Section 10, Item 1, Sentence 1: Change “fully-ephemeral ECHDE to partially static Diffie-Hellman” to “fully-ephemeral (EC)DHE to partially static (EC)DH”.

    I put ECDHE in both places for consistency with the remainder of the document.

  20. Section 10, Last Sentence: Change “Static secret keys should be rotated regularly.” to “Static (EC)DH key pairs should be rotated regularly.”

    Done; I used ECDHE.

rdroms commented 7 years ago

Edits made and committed.