Section 2, Sentence 2: I suggest we change “In Figure 1, the Web Servers use static (EC)DH for connections from the Load Balancer, and the Back-End Services use static (EC)DH for connections from the Web Servers.” to “In Figure 1, the Web Servers use a static (EC)DH key pair with the standard TLS 1.3 handshake for connections from the Load Balancer, and the Back-End Services use static (EC)DH for connections from the Web Servers.”
My reason for recommending this is that section 1.2 of the TLS 1.3 draft RFC states “Remove support for static RSA and DH key exchange”. In the TLS 1.2 spec, “static DH” is typically associated with using a certificate with a DH key.
From Paul Turner:
Section 2, Sentence 2: I suggest we change “In Figure 1, the Web Servers use static (EC)DH for connections from the Load Balancer, and the Back-End Services use static (EC)DH for connections from the Web Servers.” to “In Figure 1, the Web Servers use a static (EC)DH key pair with the standard TLS 1.3 handshake for connections from the Load Balancer, and the Back-End Services use static (EC)DH for connections from the Web Servers.”
My reason for recommending this is that section 1.2 of the TLS 1.3 draft RFC states “Remove support for static RSA and DH key exchange”. In the TLS 1.2 spec, “static DH” is typically associated with using a certificate with a DH key.