IETF Logo Mail Archive

Re: [TLS] Can flags be responded to with an extension?

Benjamin Kaduk <bkaduk@akamai.com> Mon, 09 May 2022 16:21 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D379C15E3EB for <tls@ietfa.amsl.com>; Mon, 9 May 2022 09:21:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.669
X-Spam-Level:
X-Spam-Status: No, score=-2.669 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKZv1WMBUq4h for <tls@ietfa.amsl.com>; Mon, 9 May 2022 09:21:19 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABC6BC159A1D for <tls@ietf.org>; Mon, 9 May 2022 09:21:19 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.17.1.5/8.17.1.5) with ESMTP id 249GFCCE005247; Mon, 9 May 2022 17:21:17 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : content-transfer-encoding : in-reply-to; s=jan2016.eng; bh=gUnYuO+FuftW9GKILt27HyZVSOPdqJr2G4kOI6pGZEM=; b=hiAByRvMwJVxhht34YPn3ciiT4ygs+bqBFUW0css7N1b6eVD2uhm6VMfKAk2mBEKY9al do5ewAKdByflg1yvdNutadlC+MeRT8bO28q8AJ4vznowYjtOIN9u/UPO8UkC2+ajxpWS iNuavNj+nHNyMLpfq1WR1FlguKIcjuv55UTDRsvEIG7xR+GYgbMQrDRZQXSBa9UBDh+S nvboAwxNHXJKgeU5r3kCtzWf67FcrbeQEYpbxaM1ElplDFQToS1eOvIxEhgm4gRoX8IS JP1sXwwvq7QMRHx/gph3Jb1BawH4jzDNUidisaDXKYoXivAKBCsW0hfcb1ays5qUA6kR 2A==
Received: from prod-mail-ppoint6 (prod-mail-ppoint6.akamai.com [184.51.33.61] (may be forged)) by m0050102.ppops.net-00190b01. (PPS) with ESMTPS id 3fxucfdptd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 May 2022 17:21:16 +0100
Received: from pps.filterd (prod-mail-ppoint6.akamai.com [127.0.0.1]) by prod-mail-ppoint6.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 249G8x2h022338; Mon, 9 May 2022 12:21:16 -0400
Received: from email.msg.corp.akamai.com ([172.27.91.24]) by prod-mail-ppoint6.akamai.com with ESMTP id 3fwm3yv0ay-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 May 2022 12:21:15 -0400
Received: from usma1ex-dag3mb1.msg.corp.akamai.com (172.27.123.60) by usma1ex-dag4mb5.msg.corp.akamai.com (172.27.91.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.22; Mon, 9 May 2022 12:21:15 -0400
Received: from usma1ex-dag4mb2.msg.corp.akamai.com (172.27.91.21) by usma1ex-dag3mb1.msg.corp.akamai.com (172.27.123.60) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Mon, 9 May 2022 12:21:15 -0400
Received: from akamai.com (172.19.16.38) by usma1ex-dag4mb2.msg.corp.akamai.com (172.27.91.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22 via Frontend Transport; Mon, 9 May 2022 12:21:14 -0400
Date: Mon, 09 May 2022 09:21:13 -0700
From: Benjamin Kaduk <bkaduk@akamai.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: Yoav Nir <ynir.ietf@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20220509162112.GD12383@akamai.com>
References: <CABcZeBPyqFSgdiUbgKk5QbHnDA_zT8RH_KROebTrUNOnfqZZGQ@mail.gmail.com> <20220413225130.GC3149@akamai.com> <00386759-28C6-4E54-BC9C-1C566D4A0B6D@gmail.com> <20220509154319.GC12383@akamai.com> <CABcZeBMmNfEM_uUP7cjA-3eYVp+Wkz6jzuSraNJ=Ua3ov_tVpg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CABcZeBMmNfEM_uUP7cjA-3eYVp+Wkz6jzuSraNJ=Ua3ov_tVpg@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-05-09_05:2022-05-09, 2022-05-09 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205090088
X-Proofpoint-GUID: Hvi5_i83EfXt7drDbMqDQxZR6vo0MmDv
X-Proofpoint-ORIG-GUID: Hvi5_i83EfXt7drDbMqDQxZR6vo0MmDv
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-09_05,2022-05-09_02,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 adultscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1011 bulkscore=0 phishscore=0 spamscore=0 mlxlogscore=999 mlxscore=0 priorityscore=1501 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205090089
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QLrA3vJfnUxtV84U_doSw0SUu00>
Subject: Re: [TLS] Can flags be responded to with an extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2022 16:21:23 -0000

Hi Ekr,

On Mon, May 09, 2022 at 08:56:26AM -0700, Eric Rescorla wrote:
> On Mon, May 9, 2022 at 8:43 AM Benjamin Kaduk <bkaduk=
> 40akamai.com@dmarc.ietf.org> wrote:
> 
> > On Mon, May 09, 2022 at 06:10:43PM +0300, Yoav Nir wrote:
> > >
> > >
> > > > On 14 Apr 2022, at 1:51, Benjamin Kaduk <bkaduk=
> > 40akamai.com@dmarc.ietf.org> wrote:
> > > >
> > > > On Wed, Apr 13, 2022 at 10:56:49AM -0700, Eric Rescorla wrote:
> > > >> Consider the case where the client wants to offer some capability that
> > > >> the server then responds to with real data, rather than just an
> > > >> acknowledgement.
> > > >>
> > > >> For instance, supposing the SCT extension from RFC 6962 did not exist,
> > > >> the client would want to indicate support in CH and the server would
> > > >> send the SCT in CERT, but this extension would need to be non-empty
> > > >> and hence not a flag. draft-ietf-tls-tlsflags-09 seems a bit
> > > >> uncelar on this point (unless I'm missing it) but I think we
> > > >> should explicitly allow it.
> > > >
> > > > In my head this was already disallowed.  I couldn't swear to whether
> > > > we actually talked about it previously or not, though.
> > >
> > > I’m pretty sure we haven’t discussed this (or at least, I wasn’t in the
> > room).  In my head it’s also disallowed.  In the text, it’s not explicitly
> > disallowed, but the text does talk about response flags that are in flag
> > extensions, not about responses that are in other extensions or other
> > messages.  So implicitly disallowed?
> >
> > I think the description in the abstract of the target class of extension as
> > those "that carry no interesting information except the 1-bit indication
> > that a
> > certain optional feature is supported" also implicitly disallows response
> > bodies.
> >
> 
> Hmm... I don't think this is really the right approach at this stage.
> 
> The situation here is that the explicit text is ambiguous. If this were
> already an RFC, we would need to try to determine what it meant so that we
> could agree how implementations ought to be behaving. In that case, yes, we
> would look at this kind of language to attempt to resolve the ambiguity.
> 
> However, this is not an RFC and so our task is to make the specification as
> unambiguous as possible. At this stage, we should be asking what the
> *right* answer is, not what the one that most closely matches the current
> ambiguous text. My argument is that the right answer is the one that most

Yes.  You've convinced me that we need to be (more) explicit one way or the other.

Please treat my remark as a contribution to enumerating places in the document
that would need to change if we were to allow responses outside of the flags
extension.

-Ben

> closely embodies the broader goal of saving bandwidth for low-information
> signals, in this case the signal that the client could process a given
> server extension. So, yes, the client's extension contains no interesting
> information but the server's does, which, I think, is consistent with this
> text, even if, arguably, it's not the better reading.
> 
> I can certainly see arguments against forbidding this practice for
> technical reasons (e.g., simplicity), but, again, then the specification
> should just say so.
> 
> -Ekr

v2.23.0 | Report a Bug | By Email