Document: draft-ietf-tls-hybrid-design Title: Hybrid key exchange in TLS 1.3 Reviewer: Tim Chown Review result: Has Nits Hi, I have reviewed draft-ietf-tls-hybrid-design as part of the IETF Last Call process. The draft presents a framework for using multiple key exchange algorithms such that should all but one of those multiple algorithms be defeated security is still maintained. The original motivation lay with the transition to post-quantum cryptography, with the draft having been iterated since at least 2019. I agree that there is good motivation for the draft, and producing a document capturing such recommendations is time well spent. General comments: The document is well-written and clear to read, and about the right length for its nature. There are some points that have led me to say that nits remain. 1) I am a little puzzled that it is Informational, yet uses a lot of 2119 language, in particular several MUSTs. While I believe Informational documents can do this, I think it's relatively rare to see. Perhaps the status should be reconsidered, or the use of such language. 2) I also note the document states that the term 'hybrid' is used in other contexts, and could potentially cause confusion here. I would agree that 'composite' would be a better term to use, but a rewrite to change that would take time and effort. 3) The discussion around performance and latency tradeoffs of the additional algorithms being blended is appropriate. The document could note more clearly that the tolerance for lower performance / increased latency will depend on the context and use case of the systems and the network involved. 4) In the backwards compatibility section, is it also possible that a client or server may not be hybrid-aware, but two 'next generation' algorithms be in use, with no traditional algorithm, or by definition does a 'widely deployed' traditional algorithm have to be included? Overall, the document is close to being ready to advance. Tim -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
