[noise] Noise Socket draft review

Trevor Perrin trevp at trevp.net
Sat Apr 8 15:55:27 PDT 2017 

Hi Alexey,

Here's some comments on the Noise Socket draft:

https://github.com/noisesocket/spec/blob/master/noise_socket.md


Section 2
----------
 - I would remove discussion of Noise_IK and 0-RTT for now.
 - If we're getting rid of null public keys, then you could just talk
about "dummy" public keys.

Section 3
-----------
 - ASCII art is inherently ugly, consider using Pandoc markdown which
can insert images into HTML and PDF (that's how I did specs at [1]).
 - "payload" is a term used in the Noise spec, so I would maybe use a
different term here

Section 4
----------
 - You say that the sub-messages each "corresponds to a concrete Noise
protocol".  But that's not necessarily true, it would be possible to
have sub-messages corresponding to non-Noise protocols.
 - Variable names are confusing.  It's Ps for message size, but Tl for
type length, and Ml for message length?
 - L bytes string indicating message type T?  Is L the same as Tl?
 - The ASCII diagram here is confusing as well.
 - The first and second messages should be split into separate
document sections, or the "following fields" should be placed in a
table or something, the structure of this section is hard to follow.
 - Remove the discussion of "Additional data" and Noise_IK for now.

Section 5
----------
 - Maybe move the HEX prologue to an Appendix at the end, which
contains test vectors?

Section 6
-----------
 - You disallow people from sending unencrypted payloads in the first
message, but I don't think that's necessary, maybe people are willing
to send things like SNI or other protocol negotiation in the clear.

Section 8
----------
This seems like a good example of the TLS-style complexity we are
trying to avoid:
 - Do we really need multiple channels of data?
 - Do we need to negotiate max packet size? In an earlier discussion
Rhys and I liked the idea of allowing the API to set max fragment
sizes, but not have this be auto-negotiated, as most people won't need
this.
 - I'm not convinced we need padding at this layer, but I'd like to
look more at the API and use cases to help answer that.

So I wonder if the complexity here could be removed or radically cut down.

Section 10
-----------
 - I would delete this, and not include rekeying.

Other
------
 - You should probably make this document self-contained, i.e. present
the full sequence of crypto operations.  Adopters want to see a simple
list of steps, they won't want to read the 40-page Noise spec.
 - You might want to add a section of test vectors
 - There should probably be a section discussing a recommended API.
For example:

    Initialize(keypair or None)
    SendClientHello -> RecvClientHello
    RecvServerAuth <- SendServerAuth
    SendClientAuth -> RecvClientAuth
    Send <-> Recv

    GetPeerPublicKey()
    SetMaxMessageSize()

Where all the Send calls take a payload, and the Recv calls return a
payload.  Something like that?


Minor
------
simplier -> simpler
+and+ easier to implement
internaly -> internally
amount -> number

Trevor

[1] https://whispersystems.org/docs/

More information about the Noise mailing list