On Wed, May 06, 2015 at 02:58:42PM +0000, Romascanu, Dan (Dan) wrote:
Ready with minor comments.
I liked the operational considerations section and the security
consideration section - very useful in putting this work in the context
of other similar contributions.
Thanks.
Minor issues:
As the document uses heavily the term 'downgrade' (downgrade attack,
downgrade-resistant) it would be nice to either explain or provide a
reference for what it means in the context of this work.
In RFC 4949, at the bottom of page 112 we find:
downgrade attack
(I) A type of man-in-the-middle attack in which the attacker can
cause two parties, at the time they negotiate a security
association, to agree on a lower level of protection than the
highest level that could have been supported by both of them.
We could add "downgrade attack" to the terminology, and briefly
define "downgrade resistance" under the same heading. Alternatively,
since the primary downgrade at issue is stripping of STARTTLS, some
additional text could be added in 1.3.1 to introduce the terms.
Any advice on how to proceed?
Nits/editorial comments:
The last paragraph in section 2.2.1, page 15 has a comment marked twice
by --. This may be an editorial left-over to be corrected.
That's what the RFC editor's xml2rfc does with "—". When I
run xml2rfc, it produces "richer" HTML output, in which the mdashes
remain as such. Should I avoid "—"?
--
Viktor.