Re: [quicwg/base-drafts] Authenticate connection IDs (#3499)

David Schinazi <> Tue, 12 May 2020 02:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A5733A0474 for <>; Mon, 11 May 2020 19:32:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.27
X-Spam-Status: No, score=-3.27 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id s4ZLTFBCQE3X for <>; Mon, 11 May 2020 19:32:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0C9513A040B for <>; Mon, 11 May 2020 19:32:51 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0599B6A0835 for <>; Mon, 11 May 2020 19:32:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1589250771; bh=wB00nGytKI1bWU8GYqpJmO31mX/hsnWFkxqywt9tQTo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=EhsVWEwCR3Hz28R8o6Ve21Tn1hgMLlv9AFrfqhkE2iGNpt/aEXCotCDn0BF5goDJ8 +MCWGLN048NKfFpDSWnFj98GwdN5jEsTWakQzhPeQdpmRY+RDvQZokIbDNU2oCw7Lt Iv77FJOJGy6mWpg5Z6V0n+Gk982437elObK6u0yM=
Date: Mon, 11 May 2020 19:32:50 -0700
From: David Schinazi <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3499/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Authenticate connection IDs (#3499)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5eba0ad2eb531_750b3fb9af2cd9603780f0"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: DavidSchinazi
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 May 2020 02:32:53 -0000

@DavidSchinazi commented on this pull request.

> +~~~
+Client                                                  Server
+Initial: DCID=S1, SCID=C1 ->
+                                   <- Retry*: DCID=C1, SCID=S2
+Initial*: DCID=S2, SCID=C1 ->
+                                  <- Initial: DCID=C1, SCID=S3
+                             ...
+1-RTT: DCID=S3 ->
+                                             <- 1-RTT: DCID=C1
+{: #fig-auth-cid title="Use of Connection IDs in a Handshake"}
+For the handshake in {{fig-auth-cid}} the client sets the value of the
+initial_source_connection_id transport parameter to `C1`. If the server sends a
+Retry packet (that is, the packets marked with a '*' are sent), it sets

I really like the diagram, but I would prefer to split it in two. There are two possible handshakes described here: without and with retry involved. I think that the `the packets marked with a '*' are sent` caveat is confusing, because when those packets aren't sent, the `1-RTT: DCID=S3` needs to be replaced by `1-RTT: DCID=S2`. It might be simpler to have two diagrams and two examples.

 If the client received and processed a Retry packet, it MUST validate that the
-original_connection_id transport parameter is present and correct; otherwise, it
-MUST validate that the transport parameter is absent.  A client MUST treat a
-failed validation as a connection error of type TRANSPORT_PARAMETER_ERROR.
+retry_source_connection_id transport parameter is present and correct;
+otherwise, it MUST validate that the transport parameter is absent. A client
+MUST treat a failed validation as a connection error of type

This contradicts line 1568
> An endpoint MUST treat any of the following as a connection error of type PROTOCOL_VIOLATION

I have a slight preference for PROTOCOL_VIOLATION over TRANSPORT_PARAMETER_ERROR, though I don't much care as long as this section matches the other one.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: