[TLS] TLS Flags extension - not sure it makes sense

Chris Inacio <inacio@cert.org> Tue, 23 July 2019 22:09 UTC

Return-Path: <inacio@cert.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2BD8120120 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 15:09:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9ffDHMQfqKv for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 15:09:33 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E839512001B for <tls@ietf.org>; Tue, 23 Jul 2019 15:09:32 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x6NM9VZS046030 for <tls@ietf.org>; Tue, 23 Jul 2019 18:09:32 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu x6NM9VZS046030
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1563919772; bh=A2+nydhAfdSIJytmErsKlTegtI0NKKCA9IAOfou7+fA=; h=From:To:Subject:Date:From; b=PAyhs/OmTmHExy6s1wNS4z+ck38ZwW8QpkNIsmcIRcf5SJx+yyuZv9dJryRm703cQ EO+tnuqJH90wTW/fpvKB3ULD5p2JsKDhQ90ppPJz6OpV1pkhGpHg4JydxZReCIV8QJ YeD708liE/e7KQE1W/OWkNwvOmoskwJvIZvJ1CZ4=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x6NM9U3A025030 for <tls@ietf.org>; Tue, 23 Jul 2019 18:09:30 -0400
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0439.000; Tue, 23 Jul 2019 18:09:30 -0400
From: Chris Inacio <inacio@cert.org>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: TLS Flags extension - not sure it makes sense
Thread-Index: AQHVQaNMBP6W9C0Sz0y+95gPqlOPiw==
Date: Tue, 23 Jul 2019 22:09:29 +0000
Message-ID: <9257D2C3-05A2-498C-AA2A-04F5EA793ACC@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1b.0.190715
x-originating-ip: [10.64.201.37]
Content-Type: multipart/alternative; boundary="_000_9257D2C305A2498CAA2A04F5EA793ACCcertorg_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DR_rjXGIWLLC6sDBmS17vajupWY>
Subject: [TLS] TLS Flags extension - not sure it makes sense
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 22:09:35 -0000

I really want the savings on the wire that TLS flags extension provides – and so I think it’s really good for the future cTLS but I’m not sure when I get to use it in TLS 1.3 negotiation.  It goes in the clientHello message, but how will I know that the server uses this extension?  I envision a future where we will add the flags extension along with the more expensive 4-bytes version for a REALLY long time.

Is there a plan / ability to turn off the 4-byte version?

(BTW: I’m happy if people who really work the details of TLS tell me I mis-understand.  I hope I do.)