Re: [TLS] Version negotiation, take two

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 15 September 2016 21:50 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBE1612B08C for <tls@ietfa.amsl.com>; Thu, 15 Sep 2016 14:50:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZ9R3KMQoAsW for <tls@ietfa.amsl.com>; Thu, 15 Sep 2016 14:50:28 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0137.outbound.protection.outlook.com [104.47.41.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9369312B00C for <tls@ietf.org>; Thu, 15 Sep 2016 14:50:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=N6ZEsFizYclugAuwwhXRgOs8iQfZ4CENY63OzNDL4AI=; b=Iz4NPXwYLUCYkAFhyIPXAWdLTID/1h7qBkX6gv2LEUH/oC+bAHfDkrPKCST7W+ffjaEzmaClILTRvzKZkA7jhyuuYHnArGbwAaAJy0BGqYDdeBWehI7/+G30j1l/pcxFtWYrdbSyVVRlMQTnaeXKGrl/2r98lPLoPp+ZO7psBfA=
Received: from DM2PR0301MB0847.namprd03.prod.outlook.com (10.160.215.145) by DM2PR0301MB0848.namprd03.prod.outlook.com (10.160.215.146) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.619.10; Thu, 15 Sep 2016 21:50:27 +0000
Received: from DM2PR0301MB0847.namprd03.prod.outlook.com ([10.160.215.145]) by DM2PR0301MB0847.namprd03.prod.outlook.com ([10.160.215.145]) with mapi id 15.01.0619.011; Thu, 15 Sep 2016 21:50:27 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Thread-Topic: [TLS] Version negotiation, take two
Thread-Index: AQHSCetW/sPy3BxGaUaHJS64N8unOaB3sd8AgAEW1wCAAFrPgIAAD7cAgAAGHYCAABAagIAABwmAgAAM3lCAAXGggIAAUBgQ
Date: Thu, 15 Sep 2016 21:50:26 +0000
Message-ID: <DM2PR0301MB084798222BDE7EDB03FFADF28CF00@DM2PR0301MB0847.namprd03.prod.outlook.com>
References: <CAF8qwaA86yytg29QOD_N7ARimh9QcNGU_nnr_OrxqCrvrk2MBg@mail.gmail.com> <4707488.xUP5jY4WDA@pintsize.usersys.redhat.com> <CY1PR0301MB0842F99D7A32DFDCD18B3EAB8CF10@CY1PR0301MB0842.namprd03.prod.outlook.com> <2260393.jBGLD1rnRy@pintsize.usersys.redhat.com> <CY1PR0301MB08422C3C4B9B4029C0B423B58CF10@CY1PR0301MB0842.namprd03.prod.outlook.com> <5f09fa69-8d0a-8f83-5dda-ce1fabb51250@akamai.com>
In-Reply-To: <5f09fa69-8d0a-8f83-5dda-ce1fabb51250@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:b::1d2]
x-ms-office365-filtering-correlation-id: 62305ef4-78f9-4bef-a80f-08d3ddb24e17
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0848; 6:jeymezL79QmIN7hh0d1smlTtI/NbHM9WgUeQwM32qUEKEEDpNF3t9T3yj+sr1LQJcAmngPqA+v8ri+RQnumBZ8MzxWsuIjfj2CgnTaNYlIS3yfCSkEyTnkel83D89ARxXIPcINbXgsn7/GIqli65Kb9IAIKBZaBl5Jw8gZWz/e6smtgQzAUaEjRMelDuqUjSjtQ+IgME8rQZ5W5SYzVySC1p27tGhhBH1FxEPTshsfGOR11UP5JoAJ9vXo7xAs9qwD25u4AGig0DgwWKeZkacKg8ti1ANZPnNyC/a7FWjAzPi4/Ch8pQ1xzHNbbEbJqpUqdnFC+H1NGE9cCY/k4/Qg==; 5:ZkEynKp2ERmHeqDxQ6+EbzJfU4K9j2Wjh32TSLX6/lEOo5Sy5P/SvNt6H6AnOs+VuWtS1OcR5PMeTLYwVUyi+n2Ub71UKwEn3jxuwt1w1OKVuMaqHrEnJ0nzVMHDoVTNADMQWLPsVBxqVjetB9WvCQ==; 24:Vkcx2pAO/e9dpIpw/YtizPpYQbc5zq53qJ7mk5Nz42RmHv27NkbPW+QglgvJ1/UVDckD24kTmUar2lTvsFKNFdpevWsx2PSsTtjFrYeDltg=; 7:4n/G8610W27yaI1WbgsjWIREqjTak+w17t1p1hg6V2aflzs7c5EC+xdutFddmUYo8xqqD+jQdhndEoaf1n3Tv0EX4NlzRwcQJa8/7Fu7SOaF5V+0lQ4A1c4CTAwVW7Lg1he3gtun6XIZXbMKO2nv2auspH2gOU33bkOevcAw7nJzpDh/EHJ7vcuESgGiZq2ty0k6+3sC3YPvctjORDZrN/74Izo3+8DajX0oxcRQLD7iPm19I4ZBk1D9/gPFnF4J
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0848;
x-microsoft-antispam-prvs: <DM2PR0301MB08483C134A33E8D7A1FEC95F8CF00@DM2PR0301MB0848.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:DM2PR0301MB0848; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0848;
x-forefront-prvs: 0066D63CE6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(199003)(189002)(93886004)(106356001)(77096005)(10400500002)(106116001)(8990500004)(99286002)(33656002)(2950100001)(2900100001)(189998001)(87936001)(10290500002)(86362001)(10090500001)(92566002)(5005710100001)(110136003)(5002640100001)(19625215002)(16236675004)(122556002)(3280700002)(76576001)(7846002)(2906002)(3660700001)(586003)(7736002)(105586002)(8676002)(19617315012)(7906003)(74316002)(9686002)(4326007)(101416001)(81166006)(19580395003)(11100500001)(81156014)(68736007)(7696004)(8936002)(54356999)(6116002)(15975445007)(50986999)(5660300001)(97736004)(86612001)(19300405004)(102836003)(790700001)(76176999)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0848; H:DM2PR0301MB0847.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR0301MB084798222BDE7EDB03FFADF28CF00DM2PR0301MB0847_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2016 21:50:27.0389 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0848
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/U0DfEGp7ITAPN4VdFzJivT_sizU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Version negotiation, take two
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2016 21:50:31 -0000

Ø  Is it just that doing an additional "negotiation" within the extension body constitutes another extension point that we would have to actively defend…

Yes, the proposed negotiation mechanism is based on the premise that one shall “have one joint and keep it well oiled<https://www.imperialviolet.org/2016/05/16/agility.html>”l>”. And it’s been pointed out that the TLS extensions are the joint that hasn’t rusted solid yet.

For me, either one of the three options works (what we have currently, list of versions in an extension, or one extension per version).

Cheers,

Andrei