- From: Eric Rescorla <ekr@rtfm.com>
- Date: Mon, 18 Jul 2016 08:12:18 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CABcZeBMKDr32xExazSmT4rxscC5ZDNm2Hckuu-ec=k_PJ9jrhQ@mail.gmail.com>
I re-reviewed this draft, and I have some comments.
OVERALL
This draft has gotten really complicated. You basically have half of
S/MIME here, including multiple KE mechanisms. I think this reinforces
my concerns about nailing down the symmetric encryption algorithm,
particularly in view of the fact that you have pluggable DH groups
(including both FF and EC). That's oddly inconsistent and I think
you should make the symmetric algorithm pluggable as well.
DETAILS
S 2.
The description of the padding and end-of-data marker is kind of
hard to follow. As I understand it, the reader is supposed to know
from HTTP context when the last record is done? You should say that
explicitly.
S 3.2.
A cross-reference to where some context values are defined would be
useful.
You write here and other places:
CEK = HMAC-SHA-256(PRK, cek_info || 0x01)
But this produces a 256-bit value, not a 128-bit one.
S 3.3.
You should explain why you are using this nonce construction.
S 4.2.
Because your context value uses the curve label, I would use
a morge generic term than "label". And maybe quote it above
to make it clear.
S 4.3.
You should probably HKDF-Extract the authentication secret prior
to using it as the salt to HKDF.
-Ekr
Received on Monday, 18 July 2016 06:13:25 UTC