Jeffrey Altman <jaltman(_at_)secure-endpoints(_dot_)com> writes:
Sam Hartman wrote:
Unless there is strong support for the more complex registration
process in the draft, we'd like to go to expert review.
The technical argument in favor of a review list, whether a special
list for this purpose or some pre-existing list such as SecDir, is that
it is not always easy to find experts who are familiar with both of the
protocols being bound. As a result, having more reviewers is a safety
net. This is especially important for reviews of security protocols.
Another reason is accountability: the registration applications and
responses could be archived in a mailing list archive. That is helpful
for future expert reviewers, to be able to review past behaviour and
considerations when dealing with new situations.
I do not believe that the registration process defined in this draft is
particularly burdensome. It is a well defined process with time limits
that will provide a predictable response time for requesters. It
doesn't limit the Area Director's ability to select an expert to perform
the review. It simply provides for transparency and public comment on
the registration.
I believe the registration procedure should be implemented as described
in the draft.
I agree.
Btw, I couldn't find any checks to make sure that the name prefixes of
channel bindings turn out to be unique? To solve it, always adding (for
example) a ':' between the IANA allocated and the actual channel binding
value would be useful. Consider if 'TLS1' and 'TLS1.2' are registered.
Consider a channel binding value for 'TLS1' that, through some encoding,
starts with '.2', thereby forming 'TLS1.2' at the beginning. Maybe this
problem is already solved, although I have missed it. Any pointers to
particular sections?
/Simon
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf