Re: [TLS] Proposed change in TLS-Flags
David Schinazi <dschinazi.ietf@gmail.com> Wed, 01 July 2020 18:17 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EB933A09E3 for <tls@ietfa.amsl.com>; Wed, 1 Jul 2020 11:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0BE43vscgqp for <tls@ietfa.amsl.com>; Wed, 1 Jul 2020 11:17:37 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAE843A09DC for <tls@ietf.org>; Wed, 1 Jul 2020 11:17:36 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id d21so14256655lfb.6 for <tls@ietf.org>; Wed, 01 Jul 2020 11:17:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AWYfgfghIeg3uCklD+cF1q5T7JdZnK+QQgjTDYezOmM=; b=IwUSSnt1RLROr00kTQDHSqnwsL2/DL1jElnxGFclnDo8avrsGDNwUG7tXzxqOWczqB UZ8eSBA0BpPlUhIarOLKZ4dRfap2Ce9i6XBC1OmQdaPEBVWmfDqxXakowrcz9mCTGW8k HeiJvo8mAv7lCULTQ3TmBy9vA2G3Ha7whR0hrEnGPQNyUY2e8NvmvvT9XKk4yqE7eHqc 5fx790wEt2BXYRAlSxSrkvCiK0jXP2SjUHDSAyCuLv/Jtd/QMYMersZvT/pnzpjH1uWR emeW1LtZysY/J5LW8BG7nd3OWrOq39NJXuWRLoOnOKueffUkAYWfnqc4eJ7EFhtd/Usu +rFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AWYfgfghIeg3uCklD+cF1q5T7JdZnK+QQgjTDYezOmM=; b=G3tZ4HovAuvRIy2hiEz1+OHH2vKwVuLRWRtNtwkdzFZH2AZAVWz2FUCAgPBNssIxM6 cbhb/9GMNpEBsc8OGBgo0My/oZtZK0tsLxUBD1E3WKCZOmjqx+Y8ydBJxruJXiltYXMy REyexXDmL90lo4Pa+KjGJdSSgH04WEFWS/TFs14qVYW8JgfjhiRRn2CNP0Pg4Fu+WW60 oM10zY70dsZDKc/7Rfq7E8lXSy32QiGKr8r9oc9yWOotu8XD09qDQUYu5gXV6cbQPpRi +PU84G6SpbBib+JFDWL2aH6tRZF3jdS39wN+0E0q35DDY2SjQHC8KBaXqBapJ8vuvJzs NR6g==
X-Gm-Message-State: AOAM533VeAjiXBaDR0y0K6ykHAHFED/QP3SvvD2SA9rAqI3moIDuM1jo 9wyKBUjB8iKaqQovQIEmc6BMM8BV/LIduAjOKnuk8A==
X-Google-Smtp-Source: ABdhPJwKuZxBYS5aJkjtgTPoktoW764bcqOpVQOHMYAFzyTJ2JhH33IsR5LWe2etN6jcuCgFnU1Njr56H0YLRM+h1Go=
X-Received: by 2002:ac2:5467:: with SMTP id e7mr15609839lfn.122.1593627454981; Wed, 01 Jul 2020 11:17:34 -0700 (PDT)
MIME-Version: 1.0
References: <1CAC4193-E0CD-4C29-BC05-CED0617BEE19@gmail.com> <CAPDSy+7Mqn3fnYhUwGzo5tBNMTiBQeoKMcABQ_pzK-y7AhmipA@mail.gmail.com> <1496E3F4-FB87-46EE-9F76-86C058A55954@gmail.com> <b0e363f7-9326-4e03-9cc1-d640d9f637a9@www.fastmail.com>
In-Reply-To: <b0e363f7-9326-4e03-9cc1-d640d9f637a9@www.fastmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wed, 01 Jul 2020 11:17:23 -0700
Message-ID: <CAPDSy+4+ZOC=O81ezBwepMsSnAu40PN8v3Omo5uSRHo_jWG0oQ@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005bca6f05a9654ed5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RmJyCo1MkYCxzCSIDY5p2B17Aus>
Subject: Re: [TLS] Proposed change in TLS-Flags
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 18:17:40 -0000
Thanks for the context, everyone! Based on that, PR looks good to me. Ship it! David On Tue, Jun 30, 2020 at 9:18 PM Martin Thomson <mt@lowentropy.net> wrote: > More to the point, this makes it more difficult to analyze relative to an > empty "flag" extension of the likes we currently use. > > I haven't implemented this, but I imagine one strategy would be to rewrite > these flags and pretend that they were empty extensions. That would allow > implementations to reuse a lot of infrastructure, like the stuff we added > for custom extensions. That would be more difficult if the server can > speak first. > > On Wed, Jul 1, 2020, at 14:03, Yoav Nir wrote: > > Yeah, the thread that Nick mentioned. > > > > Also, since there are no such extensions defined in the base TLS 1.3 > > spec, the server can’t assume that the client knows what either the > > specific flag means, or the entire flags extension means. > > > > So suppose we invent some new client authentication scheme for TLS, it > > does make sense for the server to signal that it supports this so that > > the client can do. But I don’t think it’s too onerous to require that > > the client indicate support first. > > > > Yoav > > > > > On 1 Jul 2020, at 2:30, David Schinazi <dschinazi.ietf@gmail.com> > wrote: > > > > > > Hi Yoav, > > > > > > Could you elaborate on the rationale for this change please? > > > I was assuming that the ability for servers to send extensions not > requested by clients was useful. > > > > > > Thanks, > > > David > > > > > > On Mon, Jun 29, 2020 at 2:34 PM Yoav Nir <ynir.ietf@gmail.com> wrote: > > >> Hi > > >> > > >> I’ve just submitted the following PR: > > >> > > >> https://github.com/tlswg/tls-flags/pull/4 > > >> > > >> Three changes: > > >> * It is no longer allowed to send an empty flags extension. If you > don’t support any flags, don’t send the extension. > > >> * The server is no longer allowed to respond with flag types that > the client didn’t indicate support for first. > > >> * I’ve split the extension description section into a format section > and a rules section > > >> > > >> Please comment. Barring any objections, I’ll merge the PR just before > the submission deadline. > > >> > > >> Yoav > > >> > > >> _______________________________________________ > > >> TLS mailing list > > >> TLS@ietf.org > > >> https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Proposed change in TLS-Flags Yoav Nir
- Re: [TLS] Proposed change in TLS-Flags David Schinazi
- Re: [TLS] Proposed change in TLS-Flags Nick Harper
- Re: [TLS] Proposed change in TLS-Flags Yoav Nir
- Re: [TLS] Proposed change in TLS-Flags Martin Thomson
- Re: [TLS] Proposed change in TLS-Flags Hannes Tschofenig
- Re: [TLS] Proposed change in TLS-Flags Hannes Tschofenig
- Re: [TLS] Proposed change in TLS-Flags Yoav Nir
- Re: [TLS] Proposed change in TLS-Flags David Schinazi
- Re: [TLS] Proposed change in TLS-Flags Hannes Tschofenig