Re: [TLS] Keeping TLS extension points working

David Benjamin <> Mon, 25 July 2016 22:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ACC5512D0B2 for <>; Mon, 25 Jul 2016 15:35:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.986
X-Spam-Status: No, score=-3.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5Hm8Zl21ioem for <>; Mon, 25 Jul 2016 15:35:49 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8857912B029 for <>; Mon, 25 Jul 2016 15:35:48 -0700 (PDT)
Received: by with SMTP id l69so138089969lfg.1 for <>; Mon, 25 Jul 2016 15:35:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Cqien/fxRG2Xq+12qGWaS61nbICBl4UIjXanqOU66Jw=; b=MBk5C9ZLq7teq1zjQwmJKDGt+6a53NUZj102TPpV0NZ3hIgla6NViNZ6I1G/2x95gq BFAHq1wPLe+Ka5FbT7uhOsdX1uYljpCgsiTdFzPqsUPi20WR7p0PfXk7ByTPfaT04Zvp e8TYr1WDFiEiMNqJDTkDyHfJd/NEw7GuaxADY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Cqien/fxRG2Xq+12qGWaS61nbICBl4UIjXanqOU66Jw=; b=euodnFqmUlZecEYSvnGjl40fxMRmzICy94dY8qHCgQPp5ABIe9YaWYf4R4wKIPSFhH TtHZ6SqLGGAZdTt7EurHaI6NIKxqN/8xZMyYAt7ChER5b5Plx6rWG7XKK9Y200x2EvQt bvjAJyX7s5SlTqbl5RLAwZNgmQQQU7FpDL5aTAh7mDM7vUGkSgEECS5Xo8jQx7gxec52 /ua7YYmKkIqOXqsBBWNRnkqLHDQ/5Zb49nuIPimKP8zEhYlFHKMUBuXyNxKaTHiTjCYi TmuDRy2HMchD/EX87Tw813cIzT3t2uSJiyq1n13kjM2ZRKWajrDAknpPYCwr7FY2t8gh uVQw==
X-Gm-Message-State: AEkoousdqiWHyqQJOvFfSvqs00oXnZlmMKhHW0x3A04kzDdkN+JJJE4obhHTY4RN41G1Jl5Cokkh7frXb8yjD79Q
X-Received: by with SMTP id t129mr8753756lfd.163.1469486146503; Mon, 25 Jul 2016 15:35:46 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: David Benjamin <>
Date: Mon, 25 Jul 2016 22:35:37 +0000
Message-ID: <>
To: "" <>
Content-Type: multipart/alternative; boundary=001a11402830c4212405387d67dc
Archived-At: <>
Subject: Re: [TLS] Keeping TLS extension points working
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Jul 2016 22:35:52 -0000

On Mon, Jul 25, 2016 at 6:32 PM David Benjamin <>

> Hi folks,
> I'm not sure how this process usually works, but I would like to reserve a
> bunch of values in the TLS registries to as part of an idea to keep our
> extension points working. Here's an I-D:
> (The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy
> from )
> One problem we repeatedly run into is servers failing to implement TLS's
> various extension points correctly. The most obvious being version
> intolerance. When we deployed X25519 in Chrome, we discovered an intolerant
> implementation. (Thankfully it was rare enough to not warrant a fallback or
> revert!)

Er, I lost a sentence here, sorry.

I meant that, in addition to version intolerance other extension points
have also gathered rust. The X25519 trouble was an example of named curve
intolerance, not version. (Someone forgot a default in their switch-case.)

> It appears that signature algorithms maybe also be gathering rust. Ciphers
> and extensions seem to have held up, but I would like to ensure they stay
> that way.
> The root problem here is these broken servers interoperate fine with
> clients at the time they are deployed. It is only after new values get
> defined do we notice, by which time it is too late.
> I would like to fix this by reserving a few values in our registries so
> that clients may advertise random ones and regularly exercise these
> codepaths in servers. If enough of the client base does this, we can turn a
> large class of tomorrow's interop failures into today's interop failures.
> This is important because an bug will not thrive in the ecosystem if it
> does not work against the current deployment.
> If you were in Berlin, you may recognize this idea from the version
> negotiation debate. Alas that all happened in the wrong order as I hadn't
> written this up yet. This idea can't be applied to versioning without
> giving up on ClientHello.version, but we can start with the rest of the
> protocol.
> David
> PS: This is actually my first I-D, so apologies if I've messed it up
> somewhere!