Reviewer: Hilarie Orman Review result: Has Issues Do not be alarmed. I generated this review of this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. This is specious reasoning about the security of symmetric keys when used for authentication: > RADIUS has used shared secrets for thirty years, > and this vulnerability has not been known to be exploited. As such, > we believe that this known issue is acceptable for TLS-PSK. It's not just an "issue", it's a risk, and there must be a more substantial justification than a belief bolstered by vacuity. Perhaps the fact that the keys are shared in a "internal / secure" network sufficiently mitigates the risk? Other measures as well? -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
