Re: [TLS] Proposed change in TLS-Flags

David Schinazi <dschinazi.ietf@gmail.com> Wed, 01 July 2020 18:17 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EB933A09E3 for <tls@ietfa.amsl.com>; Wed, 1 Jul 2020 11:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0BE43vscgqp for <tls@ietfa.amsl.com>; Wed, 1 Jul 2020 11:17:37 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAE843A09DC for <tls@ietf.org>; Wed, 1 Jul 2020 11:17:36 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id d21so14256655lfb.6 for <tls@ietf.org>; Wed, 01 Jul 2020 11:17:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AWYfgfghIeg3uCklD+cF1q5T7JdZnK+QQgjTDYezOmM=; b=IwUSSnt1RLROr00kTQDHSqnwsL2/DL1jElnxGFclnDo8avrsGDNwUG7tXzxqOWczqB UZ8eSBA0BpPlUhIarOLKZ4dRfap2Ce9i6XBC1OmQdaPEBVWmfDqxXakowrcz9mCTGW8k HeiJvo8mAv7lCULTQ3TmBy9vA2G3Ha7whR0hrEnGPQNyUY2e8NvmvvT9XKk4yqE7eHqc 5fx790wEt2BXYRAlSxSrkvCiK0jXP2SjUHDSAyCuLv/Jtd/QMYMersZvT/pnzpjH1uWR emeW1LtZysY/J5LW8BG7nd3OWrOq39NJXuWRLoOnOKueffUkAYWfnqc4eJ7EFhtd/Usu +rFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AWYfgfghIeg3uCklD+cF1q5T7JdZnK+QQgjTDYezOmM=; b=G3tZ4HovAuvRIy2hiEz1+OHH2vKwVuLRWRtNtwkdzFZH2AZAVWz2FUCAgPBNssIxM6 cbhb/9GMNpEBsc8OGBgo0My/oZtZK0tsLxUBD1E3WKCZOmjqx+Y8ydBJxruJXiltYXMy REyexXDmL90lo4Pa+KjGJdSSgH04WEFWS/TFs14qVYW8JgfjhiRRn2CNP0Pg4Fu+WW60 oM10zY70dsZDKc/7Rfq7E8lXSy32QiGKr8r9oc9yWOotu8XD09qDQUYu5gXV6cbQPpRi +PU84G6SpbBib+JFDWL2aH6tRZF3jdS39wN+0E0q35DDY2SjQHC8KBaXqBapJ8vuvJzs NR6g==
X-Gm-Message-State: AOAM533VeAjiXBaDR0y0K6ykHAHFED/QP3SvvD2SA9rAqI3moIDuM1jo 9wyKBUjB8iKaqQovQIEmc6BMM8BV/LIduAjOKnuk8A==
X-Google-Smtp-Source: ABdhPJwKuZxBYS5aJkjtgTPoktoW764bcqOpVQOHMYAFzyTJ2JhH33IsR5LWe2etN6jcuCgFnU1Njr56H0YLRM+h1Go=
X-Received: by 2002:ac2:5467:: with SMTP id e7mr15609839lfn.122.1593627454981; Wed, 01 Jul 2020 11:17:34 -0700 (PDT)
MIME-Version: 1.0
References: <1CAC4193-E0CD-4C29-BC05-CED0617BEE19@gmail.com> <CAPDSy+7Mqn3fnYhUwGzo5tBNMTiBQeoKMcABQ_pzK-y7AhmipA@mail.gmail.com> <1496E3F4-FB87-46EE-9F76-86C058A55954@gmail.com> <b0e363f7-9326-4e03-9cc1-d640d9f637a9@www.fastmail.com>
In-Reply-To: <b0e363f7-9326-4e03-9cc1-d640d9f637a9@www.fastmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wed, 1 Jul 2020 11:17:23 -0700
Message-ID: <CAPDSy+4+ZOC=O81ezBwepMsSnAu40PN8v3Omo5uSRHo_jWG0oQ@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005bca6f05a9654ed5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RmJyCo1MkYCxzCSIDY5p2B17Aus>
Subject: Re: [TLS] Proposed change in TLS-Flags
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 18:17:40 -0000

Thanks for the context, everyone!
Based on that, PR looks good to me. Ship it!

David

On Tue, Jun 30, 2020 at 9:18 PM Martin Thomson <mt@lowentropy.net> wrote:

> More to the point, this makes it more difficult to analyze relative to an
> empty "flag" extension of the likes we currently use.
>
> I haven't implemented this, but I imagine one strategy would be to rewrite
> these flags and pretend that they were empty extensions.  That would allow
> implementations to reuse a lot of infrastructure, like the stuff we added
> for custom extensions.  That would be more difficult if the server can
> speak first.
>
> On Wed, Jul 1, 2020, at 14:03, Yoav Nir wrote:
> > Yeah, the thread that Nick mentioned.
> >
> > Also, since there are no such extensions defined in the base TLS 1.3
> > spec, the server can’t assume that the client knows what either the
> > specific flag means, or the entire flags extension means.
> >
> > So suppose we invent some new client authentication scheme for TLS, it
> > does make sense for the server to signal that it supports this so that
> > the client can do. But I don’t think it’s too onerous to require that
> > the client indicate support first.
> >
> > Yoav
> >
> > > On 1 Jul 2020, at 2:30, David Schinazi <dschinazi.ietf@gmail.com>
> wrote:
> > >
> > > Hi Yoav,
> > >
> > > Could you elaborate on the rationale for this change please?
> > > I was assuming that the ability for servers to send extensions not
> requested by clients was useful.
> > >
> > > Thanks,
> > > David
> > >
> > > On Mon, Jun 29, 2020 at 2:34 PM Yoav Nir <ynir.ietf@gmail.com> wrote:
> > >> Hi
> > >>
> > >> I’ve just submitted the following PR:
> > >>
> > >> https://github.com/tlswg/tls-flags/pull/4
> > >>
> > >> Three changes:
> > >>  * It is no longer allowed to send an empty flags extension. If you
> don’t support any flags, don’t send the extension.
> > >>  * The server is no longer allowed to respond with flag types that
> the client didn’t indicate support for first.
> > >>  * I’ve split the extension description section into a format section
> and a rules section
> > >>
> > >> Please comment. Barring any objections, I’ll merge the PR just before
> the submission deadline.
> > >>
> > >> Yoav
> > >>
> > >> _______________________________________________
> > >>  TLS mailing list
> > >> TLS@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/tls
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>