Re: [TLS] access_administratively_disabled v2

Sean Turner <> Fri, 05 January 2018 14:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B79EE129C5D for <>; Fri, 5 Jan 2018 06:33:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AzTU8dnd8tzg for <>; Fri, 5 Jan 2018 06:33:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8A335124217 for <>; Fri, 5 Jan 2018 06:33:41 -0800 (PST)
Received: by with SMTP id a8so6109445qkb.8 for <>; Fri, 05 Jan 2018 06:33:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=P2ljP+ek8x7d//96CCzw3q7ew1EFYIK9ciW6K/zvGqI=; b=LfuOukDme6j8KfNN8nHvUOmYIsUb1vE5J1XwcVObigPGy/V6P2cKoN7RUEi83Zhwn5 kYNnXj8lHBOC9gFyCV4fxKOOAIPEsOaUnBa+a/0oEpYGrEGtrxMIEt5SvvwhBOjZp4Tf AIsUby7k1Kt+xcrLoQ4gokrYl+cS0Y+CNMwGY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=P2ljP+ek8x7d//96CCzw3q7ew1EFYIK9ciW6K/zvGqI=; b=OuK9uS09OdnMdNJp+DmY73JagLndheXT+qQ9QVTTPqt7rHselBa8TZfb5jUz5EsR4s o2cqP3UifGIGLlzubR+BLOdoXjmmnJtZkdX8mP/RHG/W+On30mUhkfSiCLjFdigorlCM 8qGbMgdwOaQxyiuSh2+UXC+0mUPCifJEcCy6swkQtoSwPYL1iqu7rVzicP+WQXDz9QpC B6SBjO1s6kUvVtKYzxlpObw6+42nepj1URtJU4Q3JyPdXn1YU6Nk4t2LAIkEsBu288xZ u7HVYjQ8HJijEu0gCNtTbRk9ulha1Gsci/JVVVEJL96hLbX+qW99XPfo5B9Yp22XxHG0 GTjw==
X-Gm-Message-State: AKwxytdCnLsnuheOjjkbZ+80vGGmR1B7y7mCjYWEgheelaOEtDzk4RWl dUnmJ72sqanDeyc49XB6d86O5g==
X-Google-Smtp-Source: ACJfBotLyFiAL9I0Hxvn1hJVUtVNcCgtFE7FKMhK1czxSiUXzHB4GQ4Hk/s73lFfQPXCymRfy7kQsQ==
X-Received: by with SMTP id q63mr4530777qkd.346.1515162820482; Fri, 05 Jan 2018 06:33:40 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id g9sm3596120qtg.2.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jan 2018 06:33:39 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Sean Turner <>
In-Reply-To: <>
Date: Fri, 5 Jan 2018 09:33:37 -0500
Cc: "<>" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <>
To: =?utf-8?Q?Mateusz_Jo=C5=84czyk?= <>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <>
Subject: Re: [TLS] access_administratively_disabled v2
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 Jan 2018 14:33:44 -0000


It appears that the way forward is to document the mechanism you have in mind in an Internet-Draft.  That I-D should include the mechanism as well as the new alert you want.*  It is better that the alert be in a separate I-D (i.e., not in the TLS 1.3 specification) because including an alert in the TLS 1.3 draft that refers to a yet-to-be standardized mechanism is pretty much not going to work with the IETF publication process; we are near the finish line for TLS 1.3 and having a reference of this sort will no doubt add some delay possibly a lot of delay.**

The other issue here is that there is an existing WG chartered (capport) to work on this particular problem or some part of it; the TLS WG would be stepping on their toes if we picked up the work.

For the two reasons listed above, I’m asking ekr to close the PR#1134.


* Please do not include a value for the alert use "(TBD)".

** The reference would be a normative reference to another specification that was not at the same “maturity" level.  The TLS 1.3 specification would have to wait while this new I-D gets to the same maturity - but there’s no guarantee that the I-D will in fact get to the same maturity level.

> On Jan 4, 2018, at 17:29, Martin Thomson <> wrote:
> On Fri, Jan 5, 2018 at 3:39 AM, Mateusz Jończyk <> wrote:
>> W dniu 04.01.2018 o 16:52, Stephen Farrell pisze:
>>> I'm fairly sure I'm against attempting to handle captive portal issues at
>>> the TLS layer. Any changes to TLS needed for captive portals ought really
>>> garner consensus within the capport wg and then be discussed here. (It
>>> looks from the archive of that wg that this topic hasn't even been raised
>>> there despite a few people suggesting that, which is IMO another reason to
>>> reject this proposal now.)
>> Captive portals != filtering, these are AFAIK different problems and need
>> mostly different solutions. I just integrated them under the same umbrella
>> because they initially both used to seem to benefit from adding alert messages
>> to TLS (but that idea is dead now).
>> I am not certain whether adding captive_portal AlertDescription to TLS would
>> be of benefit. It seems to me that possibly yes, but haven't reviewed this.
> Please take that discussion to the capport WG (
> However, it seems like you want to address filtering/censorship more
> than you want to address the captive portal case.  I can say that the
> capport WG isn't interested in anything that might improve filtering
> or censorship and are explicitly designing mechanisms that avoid doing
> so.  I won't say that you can't raise the issue, but you should be
> aware that this topic has been discussed quite a bit already and
> unless you have new information, I doubt you will change the
> conclusions.
> _______________________________________________
> TLS mailing list