I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.




This document adds new cipher suites to TLS that include the use of the 


Camilla algorithm.






The document follows the format of other documents that have defined 


cipher suites to TLS.  In most cases the text just points to those other 


documents.






It is entirely possible that with sufficient time to study the 9 or 10 


references that point to the definition of other cipher suites being cited 


as models for these cipher suites, I'd be able to view the document as 


obvious.  Unfortunately I had neither the experience nor the time for 


sufficient study.  So I found the text not clear about what other cipher 


suites were being invoked as models for the suites here.






The security consideration section points to the sections in seven other 


similar documents.  I have not been able to review that list of security 


considerations sections to see that they adequately cover the concers for 


this algorithm. But as this document is not proposing any novel new 


combinations of security features and (according to the document, not me) 


Camilla is very similar to AES, I presume that security considerations are 


adequately covered.  I know of no security concerns specific to Camilla.






The language in section 3 (cipher suite definitions) makes frequent 


mention of the way similar suites are defined elsewhere.  As a person who 


is not au courant on cipher suites, I did not find the language obvious.




   Advanced Encryption Standard (AES) [20] authenticated encryption with
   additional data algorithms, AEAD_AES_128_GCM and AEAD_AES_256_GCM are
   described in RFC5116 [8].  And AES GCM cipher suites for TLS are
   described in RFC5288 [10].  AES and Camellia share common
   characteristics including key sizes and block length.
   CAMELLIA_128_GCM and CAMELLIA_256_GCM are defined according as those
   of AES.



I believe that the authors mean that the definitions of the Cammilla 


suites are the same as in section 5.1 and 5.2 of 5116 and section 3 of 


5288, with appropriate substitution of "Camilla" for "AES", but I am not 


sure which of the cipher suites in 2.1, 2.2 and 2.3 of this document are 


included.  Particularly as the PSK suites listed in 2.3 would seem to be 


described in section 3.4 with reference to entirely other documents.


Perhaps someone more experienced with cipher suites would think this was 


obvious, but I could have used a more explicit mapping between the suites 


defined here and the suites from which the descriptions are being 


borrowed.






Section 3.4 is particularly opaque to my inexperienced eyes as to the 


mapping between these cipher suites and the similar cipher suites whose 


descriptiosn are being borrowed:




   PSK cipher suites for TLS are described in RFC4279 [5], RFC4785 [7],
   RFC5487 [12], and RFC5489 [13].

That is the complete description of the suites.

Which ref applies to which suite in this document?

--Sandy