IETF Logo Mail Archive

Re: [TLS] Review of draft-guballa-tls-terminology-03

"Schwarz, Albrecht (Nokia - DE)" <albrecht.schwarz@nokia.com> Wed, 27 April 2016 15:48 UTC

Return-Path: <albrecht.schwarz@nokia.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85A9E12D0AE for <tls@ietfa.amsl.com>; Wed, 27 Apr 2016 08:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ceD6J_OMJ3-A for <tls@ietfa.amsl.com>; Wed, 27 Apr 2016 08:48:31 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 857CA12B047 for <tls@ietf.org>; Wed, 27 Apr 2016 08:48:31 -0700 (PDT)
Received: from fr712umx3.dmz.alcatel-lucent.com (unknown [135.245.210.42]) by Websense Email Security Gateway with ESMTPS id 8D561EC385F54; Wed, 27 Apr 2016 15:48:26 +0000 (GMT)
Received: from fr711usmtp1.zeu.alcatel-lucent.com (fr711usmtp1.zeu.alcatel-lucent.com [135.239.2.122]) by fr712umx3.dmz.alcatel-lucent.com (GMO-o) with ESMTP id u3RFmSrk026326 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 27 Apr 2016 15:48:28 GMT
Received: from FR711WXCHHUB02.zeu.alcatel-lucent.com (fr711wxchhub02.zeu.alcatel-lucent.com [135.239.2.112]) by fr711usmtp1.zeu.alcatel-lucent.com (GMO) with ESMTP id u3RFmSpK017944 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 27 Apr 2016 17:48:28 +0200
Received: from FR711WXCHMBA03.zeu.alcatel-lucent.com ([169.254.3.187]) by FR711WXCHHUB02.zeu.alcatel-lucent.com ([135.239.2.112]) with mapi id 14.03.0195.001; Wed, 27 Apr 2016 17:48:27 +0200
From: "Schwarz, Albrecht (Nokia - DE)" <albrecht.schwarz@nokia.com>
To: EXT Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Review of draft-guballa-tls-terminology-03
Thread-Index: AQHRn+OaVk0dK2ZXAE+4bi4kHxNxuJ+dsk9w
Date: Wed, 27 Apr 2016 15:48:27 +0000
Message-ID: <786615F3A85DF44AA2A76164A71FE1ACE1A46C9C@FR711WXCHMBA03.zeu.alcatel-lucent.com>
References: <CABcZeBO41EEFDyWdWS=ZW984BBWwm_akM3LpMe0VZ2KxKHRVfQ@mail.gmail.com>
In-Reply-To: <CABcZeBO41EEFDyWdWS=ZW984BBWwm_akM3LpMe0VZ2KxKHRVfQ@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.239.27.41]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/15FaLjgmiah56DRBd3zKdnHgTrE>
Subject: Re: [TLS] Review of draft-guballa-tls-terminology-03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2016 15:48:33 -0000

Hello Eric,

thanks for starting the discussion in getting the TLS and DTLS terms clarified and fixed!
Just a quick reply today on the overall approach before commenting (or my colleagues) on the individual terms.

1st There are two groups working on (D)TLS specifications: the inner circle of TLS experts which might share a common understanding about the protocol semantics behind a term (this group might be WG TLS and perhaps also UTA); - and there is outer circle refering to (D)TLS in signalling plane, management plane, control plane, application and service specifications etc (such as WGs MMUSIC, RTCWEB, PERC, etc etc and SDOs like ITU-T, 3GPP, OMA, etc etc).
I'm belonging to the second group, lacking that insider knowledge to the TLS experts community.

2nd Definition A vs B for Term X
When using statements "make things clearer / worser than ..." then we need to look at the comparison of A and B.
Now, "A" is (often) not available (or somehow hidden in the existing (D)TLS RFCs, or only described at high level) when "B" relates to the terminology draft.

Furthermore, related the considered set of terms:
We need firstly fixe the terms for the TLS and DTLS "basic protocol set" (see the list of referrenced RFCs in the draft). The usage of them in context of ICE (and the interessting question of ICE restarts), WebRTC, tunnel techniques, etc should be considered in a subsequent step. Either an original term remains unchanged or would need to be further qualified.
But a consideration of "open, forward compatiblity" term semantics will lead in the end to a very vague definition in my understanding.
And it should be feasible to fix these terms because we got concrete information and data models behind the (D)TLS protocol entities. It's merely a question about the concrete set of information behind a particular term.

With regards to hierarchy:
The concept of (D)TLS in separating "session" and "connection|association" level, as well as protocol procedures at the very beginning and during the communication phase represent actually an hierarchical model inside the protocol.
Thus, the terminology draft follows that hierarchical approach (which again should leads to concise individual term definitions).

Regards, Albrecht



From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of EXT Eric Rescorla
Sent: Dienstag, 26. April 2016 19:46
To: tls@ietf.org
Subject: [TLS] Review of draft-guballa-tls-terminology-03

I recently reviewed draft-guballa-tls-terminology-03. Comments below.

OVERALL
I'm sympathetic to concerns that TLS terminology may not be as precise
as one would like, but IMO this document doesn't make things significantly
clearer and in some cases makes it worse. Specifically:

- (D)TLS is intentionally defined without any tight binding to the underlying
  transport. However, this document tries to tie it to IP semantics, which
  is not helpful and doesn't match existing practice.

- This document introduces a number of terms that don't exist in the (D)TLS
  documents (e.g., "Transient (D)TLS session"). This is just going to cause
  confusion.

In general, I don't think that having a second document that acts as
a glossary for (D)TLS but isn't part of the main documents is going to help
much. If the authors feel like the terminology in TLS is imprecise, it
would be more helpful to suggest changes to TLS 1.3 (e.g., via PRs).


DETAILED COMENTS
S 3.1.1.
There's no restriction on TLS that a given endpoint is attached
to one IP address, and in fact, it's common to run DTLS in
multihomed configs (e.g., DTLS over ICE).

S 3.2.1.
Again, (D)TLS isn't bound to the port or IP.

S 3.2.2.
This whole notion of semi-permanent versus transient isn't helpful,
especially in the face of tickets.

S 3.2.2.
This is just a new invented term. Please don't

S 3.3.1.
Destruction point doesn't seem useful since in many cases it's "unknown"
since it's in the future

S 3.3.4.
In DTLS you can respond to a ClientHello with a HelloVerifyRequest as
well.

S 3.4.4.
"message sequence" seems invented.

S 3.4.7.
I don't think it's helpful to import ITU notions of connection state here,
especially in the face of stuff like false start.

S 3.4.12.
Copying the session state here doesn't seem that useful, especially splitting
it into two states.





  

v2.23.0 | Report a Bug | By Email