Re: [TLS] [AVTCORE] WG last call of draft-ietf-avtcore-rfc5764-mux-fixes-05

Martin Thomson <martin.thomson@gmail.com> Wed, 02 March 2016 22:48 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7B7A1B336E; Wed, 2 Mar 2016 14:48:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3no1RZ-Iuin; Wed, 2 Mar 2016 14:48:01 -0800 (PST)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 370601B3369; Wed, 2 Mar 2016 14:48:01 -0800 (PST)
Received: by mail-io0-x22c.google.com with SMTP id g203so8477172iof.2; Wed, 02 Mar 2016 14:48:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=gZMxkvR2TVwTrOIhQXo5QEKP9b1QiqvELT9Yv1+Tf70=; b=OAZAJ3uZ7/AA/jYsy1BWpJlxnxfIKcIg0018iY5/DHb6pHUHdACSkxRL/qVGNiciid jVn/GjZrHlTgk8VfdrQv9bMA+p48n5selCfg1MYP6e0mAX+xY/pxajfdBU6W7LtuHsSN 1zCXg+jlzRB+9UeXxFP3RuP7fi3auzchajtoEhWeDTRAnx6OL1WNmtXL24nPvgcy5Ysn E3ezZ7Hh4En75trvdm5sO9/YVAhRua/jFXJ3x7lPKARm2aFHDF+XiMba4RHa9VGXH2T9 4uXxCYJJuugJs40dK4RVazMd8niIHkcos06BtauJJPO5snZdGiEE5JbQcZGdZ+QnbPAl JvEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=gZMxkvR2TVwTrOIhQXo5QEKP9b1QiqvELT9Yv1+Tf70=; b=lypUIQZadMF03YOkHRbbfyfF6S5DP8VqQBJnwweqD51cpfxT+A0cMBrWIf3WTA8Xvs 2VgONZTQ1uceExyPLwIKoE7NjdqFRwFqSwAYgZmuiPyz8w8yqrdkiguUnveLiKdzoRf2 BcmF4h0pDUuolbOTWknoSFay5vuDh47yR3lLWbfb4CB1pHzb+wbzMZ4nUdGyeByCzSp9 WvL8sQZVYkfWk54CD52rMPWrW6KCej4E1rvHB5ROm8TIBCY3/C7ut6smIlW8AWMNkwwH 3B2FD+mNAOIOMmZdQDTTymb9AlYEPTS/RMCFJ9W+jpDm7kmNiXsh7PIOB9BqzDBor0K+ r0uA==
X-Gm-Message-State: AG10YOS58JkMlonbtvAoEX7jcsP3tPnBIDwB4NABO1ZFPjBOrwJqqdpOpQJ8FqGIAsLthnWCJqJjLhYb4wl0tg==
MIME-Version: 1.0
X-Received: by 10.107.131.27 with SMTP id f27mr34452201iod.190.1456958880661; Wed, 02 Mar 2016 14:48:00 -0800 (PST)
Received: by 10.36.43.5 with HTTP; Wed, 2 Mar 2016 14:48:00 -0800 (PST)
In-Reply-To: <56D76716.1090506@acm.org>
References: <56A8904D.10307@ericsson.com> <CAOgPGoBU+h6cA9RDxBX2m1AR-3-GnC7OYcfDLTpDepX00g73dA@mail.gmail.com> <201602080117.57742.davemgarrett@gmail.com> <56CA239F.6010107@acm.org> <56D7076A.1020703@ericsson.com> <CAOgPGoB669zcdqMYXd0yD4Tkqx7yuj6dc0y1byv3bw1ZN_qv6Q@mail.gmail.com> <56D76716.1090506@acm.org>
Date: Thu, 3 Mar 2016 09:48:00 +1100
Message-ID: <CABkgnnUxeQbVfaWuGwg=5qk-0Urky5uFA_2GxGkKYFKQu=AZfA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Marc Petit-Huguenin <petithug@acm.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/7sIb0Erhwu73XIHombnuakcpTyg>
Cc: "tls@ietf.org" <tls@ietf.org>, "avt@ietf.org" <avt@ietf.org>
Subject: Re: [TLS] [AVTCORE] WG last call of draft-ietf-avtcore-rfc5764-mux-fixes-05
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2016 22:48:02 -0000

On 3 March 2016 at 09:20, Marc Petit-Huguenin <petithug@acm.org> wrote:
> draft-ietf-avtcore-rfc5764-mux-fixes does not reserve large portions of the ContentType codepoints, RFC 5764 did.  The damage is already done as RFC 5764 is deployed as a component of RTCWeb.

I think that we can resolve this by saying this instead:

RFC 5764 describes a narrow use of DTLS that works as long as the
specific DTLS version used abides by the restrictions on the first
byte (the ones that mux-fixes wants to put in the TLS registry).  Any
extension or revision to DTLS that no causes DTLS to no longer meet
these constraints prevents that extension or version from being used
in the fashion RFC 5764 describes.

That means that DTLS 1.2 is safe.  Thus far.  DTLS 1.3 is also safe so
far, though we're a lot further from done there[3].

I'm sorry that I didn't see this option before; I figured that with
content type encryption in TLS 1.3, we wouldn't need those code
points.  However, Joe is right to protest the incursion onto sovereign
territory.

[3]  I actually hope that we can change DTLS 1.3 so that it won't mux
properly.  That will have a size benefit that should outweigh the cost
of having to rev 5764 for 1.3.