IETF Logo Mail Archive

Re: Historic TLS Discussion

Marten Seemann <martenseemann@gmail.com> Tue, 23 January 2024 03:30 UTC

Return-Path: <martenseemann@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B512C14F6A4 for <quic@ietfa.amsl.com>; Mon, 22 Jan 2024 19:30:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uds-CVslEg5o for <quic@ietfa.amsl.com>; Mon, 22 Jan 2024 19:29:59 -0800 (PST)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCA65C14F5F9 for <quic@ietf.org>; Mon, 22 Jan 2024 19:29:59 -0800 (PST)
Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-55a45a453eeso4769429a12.0 for <quic@ietf.org>; Mon, 22 Jan 2024 19:29:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705980598; x=1706585398; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rDtzxM9Q9Bd4gAreT3HxyAAZKDYjTKkuSL6fvSa00CA=; b=MNHA0AvQDXyIAZfL+ArHvTvOI9u1DUhdXA4AXCjPswXagbD2aaIdvjL0liIXqDZTsq OW7vRpCfLQbnDz+fqzpOK3O6EVURLiGblvvMjBCpiS0ClcCtjim/jEdYbZRVhgbz7Z9q +N+Fj+8CnhEKrjf4LPYjrnKQylcLd6tiyf/Isdr/zVYczGrjAepke+jh/iSwbQeH6/1p S13aOHWXCh/SUk94sj8XkOfjM1AL/BsEChEMdb9MtjawJ0a7UZiWd1zKPe7v3C2K8uQG 9z1Ku5QF9ns9Yw/Ncnzdd8V9l08kg4SnpKgVkqVjn5oPNRn2fUOoVmRuoB8Pxi+g9Qlb YsTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705980598; x=1706585398; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rDtzxM9Q9Bd4gAreT3HxyAAZKDYjTKkuSL6fvSa00CA=; b=K9FJz2tOG9nC7Rbw5PZI858uC3zUCW1odNru6Bc5GKOfuuMaSrs+54QgPLWEfG/TYE NULiSf+/X0siNQlVJ2ploomCFpMC8bMU44EsjyW4XOndZLSpUm7v+aEsXBDLvDQ3kCrN 9HdzIMxG9VBvAp0ucTCpCxtizwqPKdkXaGDzIr1MXHmfnqxdc1OUxfNGBqbwK2Es8e8d 3B1PLPIkFAVMnYIt8bT8QQ+Qd1zfnpi3vu4UiwcdBdU3ZTyb/XCjlzBXnFE9/wlCWxbY POiCuw7u+/6quHV0IHkz8u3RmXFRRBLehoTjUlyXgu1PyRBbkh27fVB3S03vTELjHzhJ Pb/g==
X-Gm-Message-State: AOJu0YxoMN08YqqulIpCdeU3xcOd8nrjvBwn4M6MkQtrHz0f2eDskTVI VHvf4ffMYNi+DliBCVeV4AjF/qsmUQs4Ec8n4pSJks/9s3xPhRQadxxK2qCB5Vp6FYSgjfSzx43 QCUeW/SFE95nvuh0Fd9K8l4bahpQ=
X-Google-Smtp-Source: AGHT+IEtOppoMw2z3aiZAQ+BiQH+buRdLILG3nGfnaDVxyV3orwY55JLP6w7kOSTcunkbvg8jVWvxtpmTsuzenKeASY=
X-Received: by 2002:a05:6402:1c04:b0:557:4d6a:7820 with SMTP id ck4-20020a0564021c0400b005574d6a7820mr518234edb.73.1705980597745; Mon, 22 Jan 2024 19:29:57 -0800 (PST)
MIME-Version: 1.0
References: <SA1PR04MB8561BABF161D2CF980526E56BF752@SA1PR04MB8561.namprd04.prod.outlook.com> <CACcvr==ik5+A-b5E2VsQGU4k42U7oAsJKNdaKXMANWY11Ae-4g@mail.gmail.com> <CADdTf+igvDGLoQvfD5gKKCR24xD9-NE_1FyWgDMQH5Dj=QxikQ@mail.gmail.com> <SA1PR04MB8561574A21D536B2BBDF0C70BF752@SA1PR04MB8561.namprd04.prod.outlook.com>
In-Reply-To: <SA1PR04MB8561574A21D536B2BBDF0C70BF752@SA1PR04MB8561.namprd04.prod.outlook.com>
From: Marten Seemann <martenseemann@gmail.com>
Date: Tue, 23 Jan 2024 10:29:46 +0700
Message-ID: <CAOYVs2pvMCVbKAGJ3QAneSNazr363UyG5PJDP2fP21YyisAdAQ@mail.gmail.com>
Subject: Re: Historic TLS Discussion
To: Nicholas Warren <nwarren@barryelectric.com>
Cc: Matt Joras <matt.joras@gmail.com>, Nick Harper <ietf@nharper.org>, "lucas@lucaspardue.com" <lucas@lucaspardue.com>, "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000085bb88060f948f27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/IwJYgun8lfrkUpFx350rJFnEKk4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2024 03:30:00 -0000

Plain-text communication was an explicit anti-goal in the design of QUIC.
That said, there was a QUIC extension that disables encryption after the
handshake, but it never moved past a -00 version, and has expired a long
time ago:
https://datatracker.ietf.org/doc/html/draft-banks-quic-disable-encryption

> The second is slight concern that what became of TLS 1.0, 1.1, and 1.2
will become of 1.3. How will QUIC be updated to TLS1.3's successor? Lucas
hinted that it's possible to swap out TLS. The answer to this concern is no
doubt in the documentation you've worked on.

That depends on the shape of the TLS 1.3 successor. It might be possible
that this version can be negotiated on the TLS layer, and no changes to the
QUIC integration are needed at all. Or it might require changes to the API
between the TLS and the QUIC stack, in that case, we'd need to define a new
QUIC version. QUIC has a built-in version negotiation mechanism that will
make this transition possible in internet-wide deployments.

On Tue, 23 Jan 2024 at 03:41, Nicholas Warren <nwarren@barryelectric.com>
wrote:

> My curiosity stems from two parts. The first is that QUIC, except
> mandatory TLS, seems to be the most attractive "out of the box"
> transportation protocol for a personal group project (vs. TCP, UDP, and
> SCTP). Our desire for plain-text communication is because we need to watch
> the communication.
>
> The second is slight concern that what became of TLS 1.0, 1.1, and 1.2
> will become of 1.3. How will QUIC be updated to TLS1.3's successor? Lucas
> hinted that it's possible to swap out TLS. The answer to this concern is no
> doubt in the documentation you've worked on.
>
> Personally, I think mandatory TLS will be fantastic for internet traffic.
> I will be watching Martin Thomson's overview, thank you.
>
> -----Original Message-----
> From: Matt Joras <matt.joras@gmail.com>
> Sent: Monday, January 22, 2024 12:31 PM
> To: Nick Harper <ietf@nharper.org>
> Cc: Nicholas Warren <nwarren@barryelectric.com>; quic@ietf.org
> Subject: Re: Historic TLS Discussion
>
> (no hats on)
>
> What Nick says matches my understanding. Nicholas, could you elaborate why
> you're asking? I.e. are you curious _why_ QUIC mandates TLS 1.3, instead of
> something else, or leaving open the door more explicitly for something else?
>
> On Mon, Jan 22, 2024 at 10:25 AM Nick Harper <ietf@nharper.org> wrote:
> >
> > That discussion would've happened during the WG formation. That QUIC
> uses TLS has been in the WG charter since the first draft that I see on the
> datatracker, and the original approved charter calls out a key goal of
> "Providing always-secure transport, using TLS 1.3 by default."
> >
> > On Mon, Jan 22, 2024 at 10:12 AM Nicholas Warren <
> nwarren@barryelectric.com> wrote:
> >>
> >> Hello quic wg.
> >>
> >> I am curious about how quic seemingly mandates usage of TLS (rfc9000
> section 5); albeit I have not completely read quic-tls.
> >>
> >> Does anyone remember when you all discussed this? I was hoping to go
> back and read the archived list from when the discussion had taken place.
> >>
> >> Thanks,
> >>
> >> Nich Warren
>

v2.23.0 | Report a Bug | By Email