Early Review of draft-ietf-tls-oob-pubkey-09
review-ietf-tls-oob-pubkey-09-genart-early-holmberg-2013-08-06-00

Request Review of draft-ietf-tls-oob-pubkey
Requested rev. no specific revision (document currently at 11)
Type Early Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2013-11-19
Requested 2013-08-02
Authors Paul Wouters, Hannes Tschofenig, John Gilmore, Samuel Weiler, Tero Kivinen
Draft last updated 2013-08-06
Completed reviews Genart Early review of -09 by Christer Holmberg (diff)
Genart Telechat review of -10 by Christer Holmberg (diff)
Secdir Last Call review of -09 by Yaron Sheffer (diff)
Opsdir Telechat review of -10 by Linda Dunbar (diff)
Assignment Reviewer Christer Holmberg
State Completed
Review review-ietf-tls-oob-pubkey-09-genart-early-holmberg-2013-08-06
Reviewed rev. 09 (document currently at 11)
Review result Almost Ready
Review completed: 2013-08-06

Review
review-ietf-tls-oob-pubkey-09-genart-early-holmberg-2013-08-06






I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>




 




Document:                         draft-ietf-tls-oob-pubkey-09




 




Reviewer:                           Christer Holmberg




 




Review Date:                     6 August 2013




 




IETF LC End Date:             16 August 2013




 




IETF Telechat Date:         N/A




 




Summary:  There some editorial issues, that I personally think would make the document more clear.




 




Major Issues: None




 




Minor Issues:




 




 




GENERAL:




========




 




QGEN_1:




 




The document talks about "raw public keys". I know it is a commonly used term, but it is not defined in RFC 5246, I think it would be good to have a short section which




describes what it is, the advantages compared to certificates etc. I KNOW there is some text in the Security Section, but I think a general description would be useful in




the beginning of the spec also. Note that the security aspects do not need to be described in such section.




 




 




QGEN_2:




 




Some parts of the document talk about "TLS clients and servers", while other parts talk only about "clients and servers". I suggest to use consistant wording.




 




 




Section 1:




=======




 




 




Q1_1:




 




s/"using the TLS handshake"/"as part of the TLS handshake procedure"




 




 




Q1_2:




 




s/"TLS handshake and validated"/"TLS handshake and are validated"




 




 




Q1_3:




 




At the end of the section, I would suggest a new paragraph, which says something like:




 




                             "Section 3 defines the two TLS extensions 'client_certificate_type' and 'server_certificate_type',





                             which can be used as part of an extended TLS handshake when raw public keys are to be used. Section




                             4 defines the TLS handshake extension."




 




 




Section 3:




=======




 




 




Q3_1:




 




I would suggest to have an introduction sub-section, and then separate sub-sections for





the 'client_certificate_type' and 'server_certificate_type' usage details, e.g. something like:




 




                             3.1.                      General




                             3.2.                      'client_certificate_type' usage




 




                             When used in a Client Hello message, the 'client_certificate_type' is used to blah blah blah




                             When used in a Server Hello message, the 'client_certificate_type' is used to blah blah blah




 




                             3.3.                      'server_certificate_type' usage




 




                             When used in a Client Hello message, the 'server_certificate_type' is used to blah blah blah




                             When used in a Server Hello message, the 'server_certificate_type' is used to blah blah blah"




 




 




(Of course, if you rather want to devide the sub-sctions based on hello type, I'm fine with that also :)




 




 




Q3_2:




 




The first sentence in the section says:




 




                             "This section describes the changes to the TLS handshake message contents when raw public keys are to be used."




 




 




I think this is a little missleading, as the TLS handshake message is extended in section 4. So, similar to the text I suggested




for section 1, I suggest something like:




 




 




                             "This section defines the two TLS extensions 'client_certificate_type' and 'server_certificate_type',





                             which can be used as part of an extended TLS handshake when raw public keys are to be used. Section




                             4 defines the TLS handshake extension."




 




 




SECTION 4:




========




 




Q4_1:




 




I would suggest an introduction section, e.g. something like:




 




                             "4.1. General




 




                             This section extends the ClientHello and ServerHello messages, according





                             to the extension procedures defined in [RFC5246].




 




                             The specification does not extend or modify any other TLS messages."




 




...and then remove current sections 4.3. and 4.4.




 




 




Section 5:




=======




 




 




Q5_1: 




 




I would suggest to have sub-sections for each example, e.g. something like:




 




                             5.1. TLS client indicates ability to receive and validate raw public keys from the server




                             5.2. TLS client ans server use raw public keys.




                             5.3. Combined usage of raw publis keys and X.509 certificate




 




Then, each sub-section would start with: "This section shows an example where blah blah blah...".




 




 




Q5_2: 




 




The text in the FIRST example says:




 




                             "The 'client_certificate_type' extension indicates this in [1].  When the




                             TLS server receives the client hello it processes the 'client_certificate_type' extension."




 




However, in the flow picutre there is no 'client_certificate_type'. Is there some copy/paste error?