Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard

Alyssa Rowan <akr@akr.io> Sat, 14 December 2013 23:24 UTC

Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84F6A1AD694; Sat, 14 Dec 2013 15:24:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IeCsGO-eUjMX; Sat, 14 Dec 2013 15:24:15 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id A6D7C1ADEDC; Sat, 14 Dec 2013 14:53:02 -0800 (PST)
Received: from [10.10.42.10] (cpc5-derb12-2-0-cust796.8-3.cable.virginm.net [82.31.91.29]) by entima.net (Postfix) with ESMTPSA id C760B60A73; Sat, 14 Dec 2013 22:52:54 +0000 (GMT)
Message-ID: <52ACE148.7060209@akr.io>
Date: Sat, 14 Dec 2013 22:52:56 +0000
From: Alyssa Rowan <akr@akr.io>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: tls@ietf.org, ietf@ietf.org
References: <20131213171608.10285.15352.idtracker@ietfa.amsl.com> <9D6C4F2B-25ED-4A2A-AE89-03122D7213B8@vpnc.org> <52AB6323.2050107@akr.io> <FB25564E-DD77-45B1-B9B7-605C6F581E70@checkpoint.com> <52ABAB5E.4040506@akr.io> <1387025259.17660.17.camel@aspire.lan> <52ACC10B.6070005@akr.io> <C8E4C552-1C0E-4FDE-8890-FA1BE41D8B46@checkpoint.com>
In-Reply-To: <C8E4C552-1C0E-4FDE-8890-FA1BE41D8B46@checkpoint.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Last Call: <draft-ietf-tls-applayerprotoneg-03.txt> (Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Dec 2013 23:24:20 -0000
X-List-Received-Date: Sat, 14 Dec 2013 23:24:20 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 14/12/2013 21:40, Yoav Nir wrote:

> How about having this in the security considerations:
> 
> Implementers and document editors who intend to extend the
> protocol identifier registry by adding new protocol identifiers
> should consider that in TLS versions 1.2 and below the client sends
> these identifiers in the clear, and should also consider that for
> at least the next decade, it is expected that browsers would
> normally use these earlier versions of TLS in the initial
> ClientHello.
> 
> Care must be taken when such identifiers may leak personally 
> identifiable information, or when such leakage may lead to 
> profiling, or to leaking of sensitive information. If any of these 
> apply to this new protocol identifier, the extension SHOULD NOT be 
> used in TLS versions 1.2 and below, and documents specifying such 
> protocol identifiers SHOULD recommend against such unsafe use.

Absolutely. Much better than my wording. Less limiting, but lets them
know what they're doing by using it.

The next decade part makes me a sad panda. Realistic, but depressing.
Let's see if we can do better with TLS 1.3!

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSrOFIAAoJEOyEjtkWi2t6P5IQAKTevPpoom8Op0BX6NZeDvPR
FBQ/z7IGHy4e33hb0nI8ucTaei3TAfwwdJcbt4i+Kn5L9zfN2WqOkTKQxxN+lFWL
lZkqhNcmVjlPo+Udui9LLd7duaeNWjJ4Mm2rhWh8vKyJ4YgQM0Y0h36Tb6RGQDKG
yKrDsXSJcnxK69vm6YvIDxv5uJ0M/okAKoxe7osEtIjCHsfGvn2aDppOYWbClD38
eXQKdFeBm5+mvFid5VAmjuyV0Qk6mht3Nuhn6D2uR7qfuvV5MpJR83Ne7yZNBNXY
TG1YzCLHR4I+SLq4517Y++g0VK1IE4ozqNDOj2Ij/YCEvJ9d8S+p/IEBvkVmvMPq
66LtrwuhFAkkXj1Stv5CjqIJA+zQB8jZ7SjJEZ0FIEGbKFyeK9pGSh/zYgQzzJii
a26SojIuFqalE0luGH5NJLByOJ2EWAyC7G3CF9qDMqQ87LYZVGcvS8VO7w3IE2Bl
m1nKeZwhkk9ymztWNrNC3DEEkski2tYODsA/glPP5aMp/2B9ggfKQXPJ0mRx1cEA
evzAZllaLYaf9j7F9KMOZj07ofHG6bWU4Q2hNArp131QbqD7xPsqyH0kdvr2JSpa
3cwrPr5Put/9Ph/eAva9/gUyIYzdDPN3eEcRdew7tcd8YxC4MGEtp5dPrN+f+SLd
1qb5J2j+7FpBEfIW3KiK
=FfBO
-----END PGP SIGNATURE-----