"Sam Whited" <sam@xxxxxxxxxxxxx> writes: >> The appearance of this paragraph in this section suggests (but does >> not assert) that in TLS 1.3, the cipher negotiation always results in >> unique master secrets. Indeed, it would be extremely convenient if >> (standard-conformant) use of TLS 1.3 always did so, and if so, it >> would be convenient to inform the user by asserting that at the end of >> section 2 (after moving the current last paragraph to a different >> section). > > This one I had a lot of trouble with. I tried to put in some new > language, but it feels out of place to me somehow. I'm not sure that > this document should make assertions about the correctness of TLS 1.3, > as well vetted as it has been, so I tried to phrase it in terms of "this > mechanism is useful so long as this property holds", which seems like it > might belong in security considerations, not the registration section? This is probably the only really significant point in my review ... I can understand your caution here. It seems to me that the ideal solution is for TLS 1.3 to have been explicitly designed so that there are unique master secrets, and then you just reference that. Now it seems that everybody thinks TLS 1.3 has this property, so I'd expect that was an explicit design goal, and it would be documented somewhere. And then this document could just point to that. Dale -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
