[quicwg/base-drafts] 9400c2: Replay protection is the responsibility of applica...
Martin Thomson <firstname.lastname@example.org> Wed, 06 February 2019 05:32 UTC
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1736126F72 for <email@example.com>; Tue, 5 Feb 2019 21:32:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Status: No, score=-11.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([188.8.131.52]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrMo5LZLdh7K for <firstname.lastname@example.org>; Tue, 5 Feb 2019 21:32:22 -0800 (PST)
Received: from out-3.smtp.github.com (out-3.smtp.github.com [184.108.40.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BB2712426E for <email@example.com>; Tue, 5 Feb 2019 21:32:22 -0800 (PST)
Date: Tue, 05 Feb 2019 21:32:21 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1549431141; bh=WpJffjXbihb5RHomN1AL3S93gWL3ioHwfOj61JjE75A=; h=Date:From:To:Subject:From; b=G5C7p6wuGWBzAJKmOrrwKqXKbOi9q0hXJ2U31uZnhosJSbQPNZcKVcPTb5V7ocv8G kZSbwA/bFCYIx/cn6LMAiUv46/WjTHjRrQV4MNryQwdYxP8pZkXJEdaSesTfj/Ma40 AYSOP5AdoiKFGhVnXW7CIzCM+HWaTCzhWJMsLBtw=
From: Martin Thomson <firstname.lastname@example.org>
Subject: [quicwg/base-drafts] 9400c2: Replay protection is the responsibility of applica...
Content-Type: text/plain; charset="UTF-8"
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:email@example.com?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:firstname.lastname@example.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2019 05:32:24 -0000
Branch: refs/heads/0rtt-reset Home: https://github.com/quicwg/base-drafts Commit: 9400c2f9b2c5a235ce15377538bc8dc354467f39 https://github.com/quicwg/base-drafts/commit/9400c2f9b2c5a235ce15377538bc8dc354467f39 Author: Martin Thomson <email@example.com> Date: 2019-02-06 (Wed, 06 Feb 2019) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Replay protection is the responsibility of application protocols This is based on my recent conclusions about this subject. It rewrites the advice here by observing that QUIC does not inherently present a replay risk. Instead, application protocols, in their use of QUIC, might create an exposure to replay attack. Rather than try to perform an analysis in the transport, based on incomplete information, it is better to outline some risks (STREAM seems like the only obvious one here, frankly, though I've pointed out a couple of anti-patterns that might have accompanying replay risks) and let the application protocol designers perform a more complete analysis. We did that analysis for HTTP. I believe that to be sufficient. Though I might include mention of the fact that stream cancellation and other h2 mechanisms don't carry application semantics, but that is not a major source of regret.
- [quicwg/base-drafts] 9400c2: Replay protection is… Martin Thomson