Re: [TLS] Encrypting ALPN and other unused extensions
Watson Ladd <watsonbladd@gmail.com> Sun, 27 April 2014 16:06 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA31E1A0691 for <tls@ietfa.amsl.com>; Sun, 27 Apr 2014 09:06:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0eMY7MBjL2h for <tls@ietfa.amsl.com>; Sun, 27 Apr 2014 09:06:08 -0700 (PDT)
Received: from mail-yh0-x233.google.com (mail-yh0-x233.google.com [IPv6:2607:f8b0:4002:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 42BA11A0797 for <tls@ietf.org>; Sun, 27 Apr 2014 09:06:08 -0700 (PDT)
Received: by mail-yh0-f51.google.com with SMTP id f73so606210yha.38 for <tls@ietf.org>; Sun, 27 Apr 2014 09:06:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=btbYmMf1SU7IBB3Gk9FmJbNeaFxV5qDxO2fDXx4phrA=; b=plIYOsA8k6tzTdiuaWzdDTG2ntuqGqzPWKCIK04GsvDJArRFfsIeOGMxIcMTOJEjnx NcIAFyMdfmTW/qDZxKh/2KN2bDIhX8XKBo3PLJLlPFv69GEj9xISdDri+ty8+alJiBDN GS/A282eQrP4QR0JzbxLpKr6v101UdrtkcebkjBwPz1hwhz807OeulqWKAiLI6BsRkQo 1RJYSuC4P4KS/xWthPyn+EAmNjPeRmH0rc3zB2TS6aQde83RVTeTTtgZ/p++jET99MCV 8JwkDCJtv55rLBQ/aMUT4fLFYnKEnuo2s5neQ8Y7XgKn1WGGD9nFOJxn7ezPFIrW7nHc vQtg==
MIME-Version: 1.0
X-Received: by 10.236.137.8 with SMTP id x8mr30045063yhi.4.1398614767878; Sun, 27 Apr 2014 09:06:07 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Sun, 27 Apr 2014 09:06:07 -0700 (PDT)
In-Reply-To: <535B6235.9090907@pobox.com>
References: <535A8CED.7030805@pobox.com> <20140425173608.E1A2E1ACE0@ld9781.wdf.sap.corp> <D40A7DE25C5AA54195F82EA553F24460098E8321CB@USMBX1.msg.corp.akamai.com> <CACsn0cmcNXksu0ig8ZzkuAwBGrBSPv2yAg8XdBDC72j4F2HBJg@mail.gmail.com> <535B6235.9090907@pobox.com>
Date: Sun, 27 Apr 2014 09:06:07 -0700
Message-ID: <CACsn0cmS9oWuCbX4nm7u25STcp=bJqzZED45FkT8__k7Z7OrMw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Michael D'Errico <mike-list@pobox.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4PVfhw1YoVtDQxYiHB-NtInvyZY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypting ALPN and other unused extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Apr 2014 16:06:10 -0000
On Sat, Apr 26, 2014 at 12:37 AM, Michael D'Errico <mike-list@pobox.com> wrote: > Watson Ladd wrote: >> >> On Fri, Apr 25, 2014 at 11:20 AM, Gero, Charlie <cgero@akamai.com> wrote: >>> >>> SNI and ALPN can be used to alter the path the rest of the handshake >>> takes (and for many hosts, will be the case). >> >> >> For SNI this is true. But ALPN? Remember it was introduced to handle >> HTTP 2.0 vs HTTP 1.0: I don't see people rushing out to use different >> certs per protocol. > > > It's a bit premature to inter ALPN when it hasn't yet been published as > an RFC. Why don't you like it? "Like it"? The question is whether or not the flexibility gained from letting the server pick its certificate in response to ALPN is worth the cost in protocol complexity. The usecases I've seen do not involve doing this. Remember I'm not proposing removing ALPN: I'm proposing changing the flow to work better with 1-RTT TLS and HTTP. Is there a cost in protocol complexity in supporting this usage? Yes. We haven't figured out a good way to encrypt SNI for much the same reason: how do you know what key to use to encrypt and decrypt data that will tell you which key to use. If we want 1-RTT to require foreknowledge of a key, this solves that problem partially, but at the cost of complicating the implementations that want to take advantage of 1-RTT. Sincerely, Watson Ladd
- [TLS] Encrypting ALPN and other unused extensions Watson Ladd
- Re: [TLS] Encrypting ALPN and other unused extens… Eric Rescorla
- Re: [TLS] Encrypting ALPN and other unused extens… Michael D'Errico
- Re: [TLS] Encrypting ALPN and other unused extens… Martin Thomson
- Re: [TLS] Encrypting ALPN and other unused extens… Martin Rex
- Re: [TLS] Encrypting ALPN and other unused extens… Gero, Charlie
- Re: [TLS] Encrypting ALPN and other unused extens… Watson Ladd
- Re: [TLS] Encrypting ALPN and other unused extens… Martin Thomson
- Re: [TLS] Encrypting ALPN and other unused extens… Michael D'Errico
- Re: [TLS] Encrypting ALPN and other unused extens… Paul Hoffman
- Re: [TLS] Encrypting ALPN and other unused extens… Peter Gutmann
- Re: [TLS] Encrypting ALPN and other unused extens… Watson Ladd
- Re: [TLS] Encrypting ALPN and other unused extens… Michael D'Errico
- Re: [TLS] Encrypting ALPN and other unused extens… Watson Ladd
- Re: [TLS] Encrypting ALPN and other unused extens… Salz, Rich