Re: [TLS] PR#28: Converting cTLS to QUIC-style varints
Michael D'Errico <mike-list@pobox.com> Tue, 06 October 2020 17:00 UTC
Return-Path: <mike-list@pobox.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6817B3A0D8A for <tls@ietfa.amsl.com>; Tue, 6 Oct 2020 10:00:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Level:
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com; domainkeys=pass (1024-bit key) header.from=mike-list@pobox.com header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nk-RUvvpu7NP for <tls@ietfa.amsl.com>; Tue, 6 Oct 2020 10:00:36 -0700 (PDT)
Received: from pb-smtp2.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19DEC3A0D89 for <tls@ietf.org>; Tue, 6 Oct 2020 10:00:36 -0700 (PDT)
Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id F2B1782F5F; Tue, 6 Oct 2020 13:00:34 -0400 (EDT) (envelope-from mike-list@pobox.com)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=/6FetdTDbgqy r/RKDj42xAgppeg=; b=V03+1nK0+aOyCiJwOx2Wsg8k+aYvaj47vINNjMwwklZE x5OHXkolR8yJJ6loa7wiSLZWbK4X6xpR/jV9n8IDuJZsg3MXljon41liRHgaZgdA tsuocw04NzQfK//OilgLuns2KbVYSL6yX658pPtjhecr0MEqTA/4N2N4PsnLFg0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=TUZaNJ A6zacRuVYlQN6alLRDKdTE0vWfBHOg0CE1W3RHbitK2GnPPAZ5ksJl/AfUaWsA5A 8GURf9PTnQR+Jy+/yISQmQ9nz82qVaGUdfrAEgkBZRwaxNThyO4vRr9QM7AnKlDK VZ3VecI1LSM98z4CVnb4FRh7j6GPZpkWYrOsM=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id E7E3A82F5E; Tue, 6 Oct 2020 13:00:34 -0400 (EDT) (envelope-from mike-list@pobox.com)
Received: from MacBookPro.local (unknown [72.227.128.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id 000C882F5D; Tue, 6 Oct 2020 13:00:32 -0400 (EDT) (envelope-from mike-list@pobox.com)
To: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBPNFhGoLhgqeR9ObwyU68BYq=hXG1PhXcqNsNDNFGGyaw@mail.gmail.com> <CAOYVs2rEDtgJFVpiQkcaaYG2LAyW1hB5Cou4kUoG2_dkxMFTww@mail.gmail.com> <CABcZeBP3BUDEeiV2T-kxYTmC841XE_BrXhPHSoRqfdH0hHd-6w@mail.gmail.com> <BBA456AB-EC42-47DD-A3E3-5FC0E9E7A534@akamai.com> <53DD7D0D-D325-4246-86F2-C409875134FB@ll.mit.edu> <8e8ca76e-37ce-ce10-ae42-ea26d87c35fc@pobox.com> <9CED80DA-FAE7-4C7F-9687-3B61B63587E9@akamai.com>
From: Michael D'Errico <mike-list@pobox.com>
Message-ID: <a49d4b8c-cf49-51df-0c6b-332a4459f318@pobox.com>
Date: Tue, 06 Oct 2020 13:00:32 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <9CED80DA-FAE7-4C7F-9687-3B61B63587E9@akamai.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
X-Pobox-Relay-ID: 7247F48A-07F5-11EB-9CA4-74DE23BA3BAF-38729857!pb-smtp2.pobox.com
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/K7kPm4WUmyFcJhid2nEVMFNaQAQ>
Subject: Re: [TLS] PR#28: Converting cTLS to QUIC-style varints
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2020 17:00:37 -0000
>> But if the spec says MUST be minimum length, > I would feel compelled to check every one. > > "Be liberal in what you accept" no? A requirement of MUST in a security protocol usually means (or at least should mean) that there's a good reason for the thing, whatever it is, so if you are not checking it, then bad things can happen. I try to heed Postel's advice though, and can sometimes be more liberal than the spec says if I really know what the trade-offs are. With crypto though, I don't pretend to be expert in it, I'm kind of afraid of it, and I'm not sure how anyone can claim to understand it well enough to say, for example, that ECC is so much better than everything else. What if it's all broken? We're getting rid of everything else that we know works.... >> Please don't require minimum length unless > security would be weaker without it. > > If the fields are used in digests/hashing/signatures, then it matters. (The DER/BER comment upthread) It matters in X.509 certificates because the basic encoding rules (BER) allow you to specify the same thing in different ways. With DER, there is only one way to encode every element, so everybody will come up with the same string of bytes and hashes of those strings will be the same, signatures will verify, etc. I haven't read whatever spec cTLS is, but know that if I decided to implement it someday and there's a "varints MUST be minimum length" requirement, I'd assume that it's important and would check for it. If this is a waste of CPU cycles, then please don't make it a requirement. Mike
- [TLS] PR#28: Converting cTLS to QUIC-style varints Eric Rescorla
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Marten Seemann
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Martin Thomson
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Eric Rescorla
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Eric Rescorla
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Salz, Rich
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Marten Seemann
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Eric Rescorla
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Christian Huitema
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Rob Sayre
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Hannes Tschofenig
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Martin Thomson
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Salz, Rich
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Michael D'Errico
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Michael D'Errico
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Salz, Rich
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Michael D'Errico
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Salz, Rich
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Michael D'Errico
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Christian Huitema
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Michael D'Errico
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Nick Harper
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Martin Thomson
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Nick Harper
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Christian Huitema
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Peter Gutmann
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Watson Ladd
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Michael D'Errico
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Mohit Sethi M
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Anders Rundgren
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Mohit Sethi M
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Michael D'Errico
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Eric Rescorla
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Salz, Rich
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Hannes Tschofenig
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Eric Rescorla
- Re: [TLS] PR#28: Converting cTLS to QUIC-style va… Mohit Sethi M