Re: [TLS] Comments on TLS extension mechanism

David Hopwood <> Sat, 24 June 2006 23:57 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1FuI0G-0002r2-Mb; Sat, 24 Jun 2006 19:57:28 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1FuI0E-0002qx-Lx for; Sat, 24 Jun 2006 19:57:26 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1FuI0D-0001mi-9u for; Sat, 24 Jun 2006 19:57:26 -0400
Received: from [] (helo=anti-virus01-07) by with smtp (Exim 4.52) id 1FuI0C-000099-DD for; Sun, 25 Jun 2006 00:57:24 +0100
Received: from ([] helo=[]) by with esmtp (Exim 4.52) id 1FuI0B-0006zt-UO for; Sun, 25 Jun 2006 00:57:24 +0100
Message-ID: <>
Date: Sun, 25 Jun 2006 00:57:18 +0100
From: David Hopwood <>
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Subject: Re: [TLS] Comments on TLS extension mechanism
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Kyle Hamilton wrote:
> Because, as I understand it, within every protocol (including IP)
> there has been a specific item dedicated to research.  There is
> certainly no current shortage of IDs... but there's also nothing in
> place to provide a mechanism when resource exhaustion occurs.

When and if 60000 IDs have been exhausted, I promise to revisit this

(Note that this would require 13 times more RFCs describing TLS extension
mechanisms, assuming one RFC per extension, than the current total number
of published RFCs.)

> There's also nothing in place to keep experimental IDs from trampling
> on each other.

Assigning IDs for experiments has pros and cons. In general, for numbers
where there is no range allocated to experiments, there is an implied
obligation on the experimenter to make sure that an implementation that
supports the experiment is not used on a public network in such a way
that it could cause disruption to other network users.

In any case, the time to raise this issue would have been when RFC 4366
was being discussed. The next opportunity to change the policy is when
the extension mechanism is incorporated into TLS 1.2.

> (In this particular case, I'd like to inform the other end of
> what security policy this computer must implement, and determine if
> there is a compatible mapping before continuing the connection.  This
> determination is not something that any current protocol does, and I
> want to research the security issues with such an action as this
> before I make any kind of proposal about it.)
> If you're worried about "increasing the complexity of the current
> parser", put a length integer just after the extension ID so the
> parser knows how much to skip if it doesn't understand the extension.

The issue is unnecessary complexity for implementations that do understand
the extension, not for implementations that do not understand it.

David Hopwood <>

TLS mailing list