Re: [apps-discuss] For consideration as an appsawg document: draft-hoffman-server-has-tls-03.txt

Patrik Fältström <patrik@frobbit.se> Wed, 26 January 2011 07:09 UTC

Return-Path: <patrik@frobbit.se>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADFEC3A6948 for <apps-discuss@core3.amsl.com>; Tue, 25 Jan 2011 23:09:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.159
X-Spam-Level:
X-Spam-Status: No, score=-102.159 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zIA1+hJc6pm for <apps-discuss@core3.amsl.com>; Tue, 25 Jan 2011 23:08:25 -0800 (PST)
Received: from srv01.frobbit.se (srv01.frobbit.se [IPv6:2a02:80:3ffe::39]) by core3.amsl.com (Postfix) with ESMTP id 1EB943A6837 for <apps-discuss@ietf.org>; Tue, 25 Jan 2011 23:08:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by srv01.frobbit.se (Postfix) with ESMTP id DF3A8F4D5372; Wed, 26 Jan 2011 08:11:23 +0100 (CET)
X-Virus-Scanned: amavisd-new at frobbit.se
Received: from srv01.frobbit.se ([127.0.0.1]) by localhost (srv01.frobbit.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AV+bmASVeU4D; Wed, 26 Jan 2011 08:11:23 +0100 (CET)
Received: from 95.209.37.214.bredband.tre.se (95.209.37.214.bredband.tre.se [95.209.37.214]) (Authenticated sender: paf01) by srv01.frobbit.se (Postfix) with ESMTP id C5284F4D52DB; Wed, 26 Jan 2011 08:11:22 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: =?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?= <patrik@frobbit.se>
In-Reply-To: <4D33AC5F.3010609@vpnc.org>
Date: Wed, 26 Jan 2011 08:11:21 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <E12DB6A4-FA57-47E3-9941-8B5F34F082AC@frobbit.se>
References: <4D33AC5F.3010609@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1082)
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] For consideration as an appsawg document: draft-hoffman-server-has-tls-03.txt
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2011 07:09:11 -0000

I have had a look at this, and have three questions:

1. Have I understood it correct if the client by using this RR can refuse to fall back to insecure connection for "communication using HTTP"? I.e. it seems the RR is specifying whether fallback is possible to not only per port, which works when you have "STARTTLS" or similar, but not when fallback is between ports?

2. If so, the "input" to the query should in that case be not only the hostname, but the protocol and hostname, right? So one could use a prefix-based mechanism like _http._tcp.example.com. IN HASTLS 0 443 0

3. I am always a bit nervous over RDATA that has variable length. Do you have an implementation of this so that you have tried to ensure "it works"?

Otherwise, as someone said, overall negotiation I think is interesting.

   Patrik

On 17 jan 2011, at 03.41, Paul Hoffman wrote:

> Greetings again. I would like this WG to consider adopting the following draft as a WG item. It is definitely apps-related, and there is no other appropriate WG in the Applications or Security areas for it. It has been discussed in the websec WG, but that WG is limited to HTTP only (and this document covers TLS for all application protocols).
> 
> FWIW, some of the topics in this draft are quite open for active discussion. The discussion in websec brought up some interesting issues, but they got discussed in the HTTP context only, and this WG would be a better place to discuss them for all server protocols.
> 
> --Paul Hoffman
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> 
> 	Title           : Specifying That a Server Supports TLS
> 	Author(s)       : P. Hoffman
> 	Filename        : draft-hoffman-server-has-tls-03.txt
> 	Pages           : 8
> 	Date            : 2011-01-16
> 
> A server that hosts applications that can be run with or without TLS
> may want to communicate with clients whether the server is hosting an
> application only using TLS or also hosting the application without
> TLS.  Many clients have a policy to try to set up a TLS session but
> fall back to insecure if the TLS session cannot be set up.  If the
> server can securely communicate whether or not it can fall back to
> insecure tells such a client whether or not they should even try to
> set up an insecure session with the server.  This document describes
> the use cases for this type of communication and a secure method for
> communicating that information.
> 
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-hoffman-server-has-tls-03.txt
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
>