Re: [TLS] access_administratively_disabled v2

Sean Turner <sean@sn3rd.com> Fri, 05 January 2018 14:33 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79EE129C5D for <tls@ietfa.amsl.com>; Fri, 5 Jan 2018 06:33:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzTU8dnd8tzg for <tls@ietfa.amsl.com>; Fri, 5 Jan 2018 06:33:41 -0800 (PST)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A335124217 for <tls@ietf.org>; Fri, 5 Jan 2018 06:33:41 -0800 (PST)
Received: by mail-qk0-x231.google.com with SMTP id a8so6109445qkb.8 for <tls@ietf.org>; Fri, 05 Jan 2018 06:33:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=P2ljP+ek8x7d//96CCzw3q7ew1EFYIK9ciW6K/zvGqI=; b=LfuOukDme6j8KfNN8nHvUOmYIsUb1vE5J1XwcVObigPGy/V6P2cKoN7RUEi83Zhwn5 kYNnXj8lHBOC9gFyCV4fxKOOAIPEsOaUnBa+a/0oEpYGrEGtrxMIEt5SvvwhBOjZp4Tf AIsUby7k1Kt+xcrLoQ4gokrYl+cS0Y+CNMwGY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=P2ljP+ek8x7d//96CCzw3q7ew1EFYIK9ciW6K/zvGqI=; b=OuK9uS09OdnMdNJp+DmY73JagLndheXT+qQ9QVTTPqt7rHselBa8TZfb5jUz5EsR4s o2cqP3UifGIGLlzubR+BLOdoXjmmnJtZkdX8mP/RHG/W+On30mUhkfSiCLjFdigorlCM 8qGbMgdwOaQxyiuSh2+UXC+0mUPCifJEcCy6swkQtoSwPYL1iqu7rVzicP+WQXDz9QpC B6SBjO1s6kUvVtKYzxlpObw6+42nepj1URtJU4Q3JyPdXn1YU6Nk4t2LAIkEsBu288xZ u7HVYjQ8HJijEu0gCNtTbRk9ulha1Gsci/JVVVEJL96hLbX+qW99XPfo5B9Yp22XxHG0 GTjw==
X-Gm-Message-State: AKwxytdCnLsnuheOjjkbZ+80vGGmR1B7y7mCjYWEgheelaOEtDzk4RWl dUnmJ72sqanDeyc49XB6d86O5g==
X-Google-Smtp-Source: ACJfBotLyFiAL9I0Hxvn1hJVUtVNcCgtFE7FKMhK1czxSiUXzHB4GQ4Hk/s73lFfQPXCymRfy7kQsQ==
X-Received: by 10.55.142.66 with SMTP id q63mr4530777qkd.346.1515162820482; Fri, 05 Jan 2018 06:33:40 -0800 (PST)
Received: from [172.16.0.18] ([96.231.220.27]) by smtp.gmail.com with ESMTPSA id g9sm3596120qtg.2.2018.01.05.06.33.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jan 2018 06:33:39 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CABkgnnWdHnb-CV-EMWi9MtTspn1ZBzmLMd=OS0ubmMq+U09VgA@mail.gmail.com>
Date: Fri, 5 Jan 2018 09:33:37 -0500
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7AB77AD3-0739-4E02-8568-B74167A834CB@sn3rd.com>
References: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl> <CABcZeBN=JHV3gY_JCkCUHHASEqcUQTUmmpRY5i66Dv53k=Z3Ag@mail.gmail.com> <3685a850-03ec-5162-414b-c2676022d661@o2.pl> <CABcZeBO0nzmfcA+1ujxceDtNKPGUBZQtBg4-yN-OpOSyEJ3bNg@mail.gmail.com> <eb4530ad-2e6e-d5b6-72e7-4f84dae635e3@o2.pl> <5afdbc7f-30bb-4de2-6a72-588b8edc55d8@akamai.com> <235782bf-c26b-12c4-391a-26b654a8b9af@o2.pl> <CABcZeBMtU41cuNw=JGVRe8=7GtAzCL1RsRnm3UKeNgBb5FFicw@mail.gmail.com> <384cbf47-e41d-9372-c8b4-ba9b5788fdbe@cs.tcd.ie> <6c2052fc-a43a-10e3-d6c6-0a212d17b5ed@o2.pl> <CABkgnnWdHnb-CV-EMWi9MtTspn1ZBzmLMd=OS0ubmMq+U09VgA@mail.gmail.com>
To: =?utf-8?Q?Mateusz_Jo=C5=84czyk?= <mat.jonczyk@o2.pl>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4v0zeTfLFKTkEbmDMGy86ymj0B8>
Subject: Re: [TLS] access_administratively_disabled v2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2018 14:33:44 -0000

Mateusz,

It appears that the way forward is to document the mechanism you have in mind in an Internet-Draft.  That I-D should include the mechanism as well as the new alert you want.*  It is better that the alert be in a separate I-D (i.e., not in the TLS 1.3 specification) because including an alert in the TLS 1.3 draft that refers to a yet-to-be standardized mechanism is pretty much not going to work with the IETF publication process; we are near the finish line for TLS 1.3 and having a reference of this sort will no doubt add some delay possibly a lot of delay.**

The other issue here is that there is an existing WG chartered (capport) to work on this particular problem or some part of it; the TLS WG would be stepping on their toes if we picked up the work.

For the two reasons listed above, I’m asking ekr to close the PR#1134.

spt

* Please do not include a value for the alert use "(TBD)".

** The reference would be a normative reference to another specification that was not at the same “maturity" level.  The TLS 1.3 specification would have to wait while this new I-D gets to the same maturity - but there’s no guarantee that the I-D will in fact get to the same maturity level.

> On Jan 4, 2018, at 17:29, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On Fri, Jan 5, 2018 at 3:39 AM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:
>> W dniu 04.01.2018 o 16:52, Stephen Farrell pisze:
>>> I'm fairly sure I'm against attempting to handle captive portal issues at
>>> the TLS layer. Any changes to TLS needed for captive portals ought really
>>> garner consensus within the capport wg and then be discussed here. (It
>>> looks from the archive of that wg that this topic hasn't even been raised
>>> there despite a few people suggesting that, which is IMO another reason to
>>> reject this proposal now.)
>> 
>> Captive portals != filtering, these are AFAIK different problems and need
>> mostly different solutions. I just integrated them under the same umbrella
>> because they initially both used to seem to benefit from adding alert messages
>> to TLS (but that idea is dead now).
>> 
>> I am not certain whether adding captive_portal AlertDescription to TLS would
>> be of benefit. It seems to me that possibly yes, but haven't reviewed this.
> 
> Please take that discussion to the capport WG (captive-portals@ietf.org).
> 
> However, it seems like you want to address filtering/censorship more
> than you want to address the captive portal case.  I can say that the
> capport WG isn't interested in anything that might improve filtering
> or censorship and are explicitly designing mechanisms that avoid doing
> so.  I won't say that you can't raise the issue, but you should be
> aware that this topic has been discussed quite a bit already and
> unless you have new information, I doubt you will change the
> conclusions.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls