Re: [TLS] Comments on TLS extension mechanism
"Kyle Hamilton" <aerowolf@gmail.com> Sat, 24 June 2006 21:42 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FuFtC-0005h1-SE; Sat, 24 Jun 2006 17:42:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FuFtC-0005gw-5l for tls@ietf.org; Sat, 24 Jun 2006 17:42:02 -0400
Received: from nf-out-0910.google.com ([64.233.182.185]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FuFtA-00085r-QE for tls@ietf.org; Sat, 24 Jun 2006 17:42:02 -0400
Received: by nf-out-0910.google.com with SMTP id d4so705419nfe for <tls@ietf.org>; Sat, 24 Jun 2006 14:42:00 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pvA+BhvbBFrXtoPMierPoOQIL/tKrOKcOsCMsaz1BLaNr60t41aNLL0Vurr3UCxhAmJTi/jMvQ/bcW36GHPFgyR29bRJDAEBTQAW9Yx6gS5SH2EKl8xecptsCpsL+jnlldFAR20frVZ8hDRDo4DMNBeXAABjErOCF15c7IFnggA=
Received: by 10.49.78.10 with SMTP id f10mr3639434nfl; Sat, 24 Jun 2006 14:42:00 -0700 (PDT)
Received: by 10.48.12.1 with HTTP; Sat, 24 Jun 2006 14:41:59 -0700 (PDT)
Message-ID: <6b9359640606241441g5c795fej49fdc6d25961c736@mail.gmail.com>
Date: Sat, 24 Jun 2006 14:41:59 -0700
From: Kyle Hamilton <aerowolf@gmail.com>
To: david.nospam.hopwood@blueyonder.co.uk
Subject: Re: [TLS] Comments on TLS extension mechanism
In-Reply-To: <449D4CCF.8070107@blueyonder.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <6b9359640606232306q664ed3b3h74bf12f916aae846@mail.gmail.com> <449D4CCF.8070107@blueyonder.co.uk>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 25620135586de10c627e3628c432b04a
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Because, as I understand it, within every protocol (including IP) there has been a specific item dedicated to research. There is certainly no current shortage of IDs... but there's also nothing in place to provide a mechanism when resource exhaustion occurs. There's also nothing in place to keep experimental IDs from trampling on each other. (In this particular case, I'd like to inform the other end of what security policy this computer must implement, and determine if there is a compatible mapping before continuing the connection. This determination is not something that any current protocol does, and I want to research the security issues with such an action as this before I make any kind of proposal about it.) If you're worried about "increasing the complexity of the current parser", put a length integer just after the extension ID so the parser knows how much to skip if it doesn't understand the extension. Which is, as I understand it, approximately how the extensions are supposed to work anyway. Cordially, -Kyle Hamilton On 6/24/06, David Hopwood <david.nospam.hopwood@blueyonder.co.uk> wrote: > Kyle Hamilton wrote: > > I would like to request that a specific TLS extension number, say > > 65534, be used as a means of negotiating arbitrary TLS extensions for > > specific application and research purposes, with the express > > understanding that this mechanism SHOULD NOT be used unless no other > > option presents itself, AND the implementor is aware of any potential > > security issues that may be introduced. The format I propose would be > > akin to: > > > > struct { > > int extension_ID, > > OID arbitrary_extension, > > int extension_data_length(65535) > > opaque(arbitrary_extension_data) > > } TlsArbitraryExtensionType; > > > > Since section 5 of RFC4366 (and predecessors) states that new > > extensions shall ONLY be approved through RFCs approved by the IESG, > > this is the only logical place to propose such that I can find. > > Why would we want to approve an extension that essentially bypasses > the current approval policy, which was agreed by concensus of the > TLS WG, and that also increases the parsing complexity of such extensions > for no good reason? > > There is no extension ID scarcity problem. The policy for approval of > new extensions is exactly as intended, and the lack of an experimental > ID range is quite deliberate: > > The list of extension types, as defined in Section 2.3, is maintained > by the Internet Assigned Numbers Authority (IANA). Thus, an > application needs to be made to the IANA in order to obtain a new > extension type value. Since there are subtle (and not-so-subtle) > interactions that may occur in this protocol between new features and > existing features that may result in a significant reduction in > overall security, new values SHALL be defined only through the IETF > Consensus process specified in [IANA]. > > (This means that new assignments can be made only via RFCs approved > by the IESG.) > > -- > David Hopwood <david.nospam.hopwood@blueyonder.co.uk> > > > > _______________________________________________ > TLS mailing list > TLS@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Comments on TLS extension mechanism Kyle Hamilton
- Re: [TLS] Comments on TLS extension mechanism David Hopwood
- Re: [TLS] Comments on TLS extension mechanism Kyle Hamilton
- Re: [TLS] Comments on TLS extension mechanism David Hopwood
- [TLS] SRP TLS extension status Peter Sylvester
- Re: [TLS] SRP TLS extension status Nikos Mavrogiannopoulos