Re: [quicwg/base-drafts] Authenticate connection IDs (#3499)

David Schinazi <> Tue, 12 May 2020 01:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 802A93A0E1E for <>; Mon, 11 May 2020 18:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.866
X-Spam-Status: No, score=-1.866 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H0UmXuJdRswr for <>; Mon, 11 May 2020 18:24:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D05633A0E21 for <>; Mon, 11 May 2020 18:24:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9F7168C08D7 for <>; Mon, 11 May 2020 18:24:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1589246641; bh=UvONns64QgEl1Vs/Hn4LRU5q1G7mLniFjTO+0qt59UE=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=p6nQ2JOz1uRsIhojkBoIPZ7k1T/jaIhQl0TgE+7oUlT2dI6kPLQJ00h/VztrX1lCF kH66EwENaD14ICFyt4ux8Lzw3A5bdUb76P2b/exXvmwg2G19ReVdOQMk1oE8SXxw5l m7M+3Lr9KYHt2eAMSu7KYaMP7rj1n8sa2hNQwSuA=
Date: Mon, 11 May 2020 18:24:01 -0700
From: David Schinazi <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3499/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Authenticate connection IDs (#3499)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5eb9fab16c3ba_7c9b3f83b58cd96c260423"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: DavidSchinazi
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 May 2020 01:24:04 -0000

@DavidSchinazi commented on this pull request.

> @@ -1503,7 +1548,7 @@ An endpoint MUST NOT send a parameter more than once in a given transport
 parameters extension.  An endpoint SHOULD treat receipt of duplicate transport
 parameters as a connection error of type TRANSPORT_PARAMETER_ERROR.
-A server MUST include the original_connection_id transport parameter
+A server MUST include the original_destination_connection_id transport parameter

@martinthomson you truncated the sentence in your quote. The full sentence from your PR is:

> A server MUST include the original_destination_connection_id transport parameter
> ({{transport-parameter-definitions}}) if it sent a Retry packet to enable
> validation of the Retry, as described in {{packet-retry}}.

How about we keep the first line, but replace the rest:

> A server MUST include the original_destination_connection_id transport parameter
> to mitigate an attacker's ability to tamper with connection IDs during the handshake.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: