IETF Logo Mail Archive

[TLS] Narrowing allowed characters in ALPN ?

Erik Nygren <erik+ietf@nygren.org> Wed, 19 May 2021 21:29 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A0243A1FB1 for <tls@ietfa.amsl.com>; Wed, 19 May 2021 14:29:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S0ehTR7c96xW for <tls@ietfa.amsl.com>; Wed, 19 May 2021 14:29:46 -0700 (PDT)
Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 296993A1FB0 for <tls@ietf.org>; Wed, 19 May 2021 14:29:45 -0700 (PDT)
Received: by mail-wr1-f51.google.com with SMTP id y14so13392907wrm.13 for <tls@ietf.org>; Wed, 19 May 2021 14:29:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=lQuClzTVfyE7xFXY2iJQ3NIMt85a7WrXqTEfC/dB9uY=; b=PE9TH1YQ8sBpvcwRIwdAM8XhGwVNgm8lK8ZdNT1YstTESy07WBxoxLh7H+rX8b/wJi du7kYbrXr9KisftqvQ5oPSgUWPqtJ+EwRgdQFAckazhBt27NthAi0OemIputAITTXAAd vwJopmeCi4DecZBDwZ00XECoiTehfWJ8fJ+NmUtM82SmmIJFLwnsH/4lAWYl38WOyb/q /75GR+n7/gNNhGosoX09/ur93/D8lnK/P1Ei6bGqGnREQ80KaM/LbBvrBvXiuQY+PSrJ su956XfJcmrLatxFhBnNKirr090CK3R+yTkF0ezfsU0vqBXyGV+ufjpBhLHm7CkpaJzz 5TqA==
X-Gm-Message-State: AOAM533Us33PHNCcAUSWwUIkPw0GFPd8zPEKPDW9Ef95wgZ4SqF83LhY SzB3tPuUHqUAxYh5+sgz/1rIPpP4Iy5dY0FmYdWq2/vmNIqJ6g==
X-Google-Smtp-Source: ABdhPJwhmy/aF2ml6MYwz5iT9PT9U4eNTMNUgVcy8fmKaM3+wwHxJbHbP9lZjfaIuiGpgTl8+FSV4TcKG8qibkQWX5w=
X-Received: by 2002:adf:cd8c:: with SMTP id q12mr902631wrj.43.1621459783922; Wed, 19 May 2021 14:29:43 -0700 (PDT)
MIME-Version: 1.0
From: Erik Nygren <erik+ietf@nygren.org>
Date: Wed, 19 May 2021 17:29:33 -0400
Message-ID: <CAKC-DJjSq2sVKsJphX4QQBHOBojnTVHNE-wkdnZyZtv8NiGpQA@mail.gmail.com>
To: "TLS@ietf.org" <tls@ietf.org>, Ben Schwartz <bemasc@google.com>, Mike Bishop <mbishop@evequefou.be>
Content-Type: multipart/alternative; boundary="0000000000007039a305c2b586a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JqhlkWX0H1F4Hi4pjMOcn1tkm-I>
Subject: [TLS] Narrowing allowed characters in ALPN ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 21:29:49 -0000

With draft-ietf-dnsop-svcb-https being in WGLC in DNSOP, one feedback that
has come up is that the escaping and parsing for SvcParamValues is
complicated.
Most of this complication comes from trying to support 8-bit clean ALPN
values.
Ideally in presentation format the ALPN list would be something like
"h2,h3,http/1.1"
but at the same time the current definition of ALPN as being a series of
binary
octets means that we need parsing and escaping rules.
When httpbis defined Alt-Svc, quite a bit of complexity showed up there
as well for supporting an 8-bit-clean ALPN value while allowing for an ascii
representation for most codepoints.  It seems likely that other
specifications
may run into the same challenge.

Would there be support for updating the ALPN registry to
indicate that registered ALPN values need to conform to a subset of token
characters?   There is a separate question for the process of making
this change, but before even exploring that it seems necessary to ask
the TLS WG if there are strong opinions on this one way or the other.

>From a usability perspective, non-token ALPN values will have challenges
in many of the systems that may try and configure them, as well
as for rendering special characters in various systems that may handle
ALPNs.
The codepoint space is also massive so it isn't clear that there's a
compelling
need to support 8-bit ALPN from a code point conservation perspective.

   Erik

v2.23.0 | Report a Bug | By Email