Re: [TLS] WGLC for "A Flags Extension for TLS 1.3"

This WGLC is now complete. We need more reviews, and likely a bit more work, before moving this ahead. We'll run another WGLC once we have both. 

Yoav, can you please have a look at the comments and concerns raised below and address them as needed?

Thanks,
Chris, on behalf of the chairs

On Mon, Apr 6, 2020, at 3:39 PM, Martin Thomson wrote:
> I like this work, but I don't believe this to be ready yet.
> 
> S1
>    None of the current proposed extensions are such that the server
>    indicates support without the client first indicating support.  So as
>    not to preclude future extensions that are so defined, this
>    specification allows the client to send an empty extension,
>    indicating support for TLS flags in general (and presumably some
>    unspecified features in particular).
> 
> First, for clarification, the distinction between empty and 
> all-zero-valued is perhaps worth drawing on.  Second, more seriously, 
> if this is the goal, the text needs to acknowledge that the possibility 
> exists on a *per-flag* basis.
> 
> Third, more substantially, and invalidating the above, I don't think 
> that we should make flags introduce a new style of negotiation just 
> because it can.  I would strongly prefer that this function as close as 
> possible to "empty ClientHello extension; empty EncryptedExtensions 
> extension".  Aside from that, the utility of an advertisement from the 
> server that a client cannot respond to is pretty marginal.
> 
> Fourth, this conflicts with the following text in S2:
> 
>    A server that supports this extension and also supports at least one
>    of the flag-type features that use this extension and that were
>    declared by the ClientHello extension SHALL send this extension with
>    the intersection of the flags it supports with the flags declared by
>    the client.
> 
> Nit here: this isn't about support alone, it is the flags that the 
> server *chooses* to support.
> 
> S2
>    The server may need to send two tls_flags extensions,
>    one in the ServerHello and the other in the EncryptedExtensions
>    message.  
> 
> Are we confident that sending the same extension in both places is 
> safe?  I know that clients have to implement this and so should be able 
> to test that this works, but it seems awkward.  And it might not be 
> necessary.  It's also not sufficient, as we currently allow responses 
> to ClientHello extensions to appear in Certificate (and for 
> CertificateRequest to carry "requests" in the other direction).
> 
> Perhaps we might avoid this problem entirely.  ServerHello extensions 
> are limited to key exchange.  If we say that flags are limited (today) 
> to functional properties that don't affect key exchange, my thought is 
> that we don't lose much (if anything) by only allowing this extension 
> in EncryptedExtensions.
> 
> I don't know what I think about Certificate extensions.  This seems to 
> have a clear use there.
> 
> Editorial:
> 
> S1
> It might be better to draw examples from the canon of published RFCs 
> than to refer to things that might not get published.
> 
> On Tue, Apr 7, 2020, at 00:53, Christopher Wood wrote:
> > This is the working group last call for the "A Flags Extension for TLS 
> > 1.3" draft, available at:
> > 
> >     https://datatracker.ietf.org/doc/draft-ietf-tls-tlsflags/
> > 
> > Please review the document and send your comments to the list by April 
> > 20, 2020. The GitHub repository for this draft is available at:
> > 
> >     https://github.com/tlswg/tls-flags
> > 
> > Thanks,
> > Chris, on behalf of the chairs
> > 
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>