IETF Logo Mail Archive

Re: [TLS] Encrypting ALPN and other unused extensions

Paul Hoffman <paul.hoffman@vpnc.org> Sat, 26 April 2014 14:48 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EED2E1A04C8 for <tls@ietfa.amsl.com>; Sat, 26 Apr 2014 07:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3e5wnsnUWzs for <tls@ietfa.amsl.com>; Sat, 26 Apr 2014 07:48:28 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 3911B1A04B4 for <tls@ietf.org>; Sat, 26 Apr 2014 07:48:28 -0700 (PDT)
Received: from [10.20.30.90] (142-254-17-198.dsl.dynamic.fusionbroadband.com [142.254.17.198]) (authenticated bits=0) by hoffman.proper.com (8.14.8/8.14.7) with ESMTP id s3QEmIBG059491 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 26 Apr 2014 07:48:19 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-198.dsl.dynamic.fusionbroadband.com [142.254.17.198] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CABkgnnWTgmOmhGsVWyaVya2PcOG1iTZzmt-rHD4yg+hEOh0KnA@mail.gmail.com>
Date: Sat, 26 Apr 2014 07:48:16 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <18A8EEAE-86BA-49C8-A54A-370123402B25@vpnc.org>
References: <535A8CED.7030805@pobox.com> <20140425173608.E1A2E1ACE0@ld9781.wdf.sap.corp> <D40A7DE25C5AA54195F82EA553F24460098E8321CB@USMBX1.msg.corp.akamai.com> <CACsn0cmcNXksu0ig8ZzkuAwBGrBSPv2yAg8XdBDC72j4F2HBJg@mail.gmail.com> <CABkgnnWTgmOmhGsVWyaVya2PcOG1iTZzmt-rHD4yg+hEOh0KnA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/6Ts_6NkRE70MHBvo9jjBC7m-_y8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypting ALPN and other unused extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Apr 2014 14:48:29 -0000

On Apr 25, 2014, at 10:20 PM, Martin Thomson <martin.thomson@gmail.com> wrote:

> On 25 April 2014 19:34, Watson Ladd <watsonbladd@gmail.com> wrote:
>> does TLS ensure that I'm talking to the right *port*?
> 
> That's a PKIX function,

Not at all true.

> but the answer is no, mostly [RFC6125].  

And not even there. :-)

There are no certificate fields that specify the port on which the server is running, and even RFC 6125 only talks about services, which can (and often are) run on ports other than their "default" port. Even the widely-derided key usage field doesn't specify a port. 

> We
> authenticate names, even though it is theoretically possible to
> authenticate URIs, I don't think that it is used in many places and
> there has been anything in between defined.

RFC 6125 says plenty about naming with URIs, as does the base PKIX spec; neither specifies any operational way to authenticate past the host name.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email