Re: [TLS] TLS 1.3 Application Identifier ?

Pascal Urien <pascal.urien@gmail.com> Wed, 16 July 2014 22:03 UTC

Return-Path: <pascal.urien@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2CFB1A0350 for <tls@ietfa.amsl.com>; Wed, 16 Jul 2014 15:03:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rPX8_9mcBgAh for <tls@ietfa.amsl.com>; Wed, 16 Jul 2014 15:03:02 -0700 (PDT)
Received: from mail-qa0-x22f.google.com (mail-qa0-x22f.google.com [IPv6:2607:f8b0:400d:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 368201A035A for <tls@ietf.org>; Wed, 16 Jul 2014 15:03:00 -0700 (PDT)
Received: by mail-qa0-f47.google.com with SMTP id i13so1226516qae.6 for <tls@ietf.org>; Wed, 16 Jul 2014 15:02:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ga35iVHReG/ohv6/KDj17KPJYQUT+XnZxd0yvmju7R0=; b=XAX6t3b0LszykRPTgI/HCeDBMd5YxbYur5OLOywsflpbXoWCDf34FZmed+LeGYZDJ2 8W8GeYq8ReAgC/d/PeuJwaOXxiVYM1tQwX2aBQgv1p+oXyA+XR94Ned+j7PcHSDI6Xc7 ozsbgHtUpWBez+5VxsqPKHZrkHWEvWso/tyn32wF+WBCzLQlXcaCXUejxycc7613/giK 7Gp0QkA/PScyGsA5JUAbfbumPKBZzJqAchmE4k9CVjMQ+dRjAdrgFmrFKsixBrzNR4Vo lIA1W4ijZXOjlFxloQc2e2axwmTQCeJ5uQPrVQsMLb5p+Rj5qtUWWyYF8/3XYgCRd/v+ ZaiA==
MIME-Version: 1.0
X-Received: by 10.140.97.227 with SMTP id m90mr47516176qge.15.1405548179276; Wed, 16 Jul 2014 15:02:59 -0700 (PDT)
Received: by 10.96.194.225 with HTTP; Wed, 16 Jul 2014 15:02:59 -0700 (PDT)
In-Reply-To: <4F8BD5B9-0D93-41EC-AC87-2F8519CC0980@iki.fi>
References: <CAEQGKXRhAh2BvwY0xCCf-BN6kh37_athgYQ+Ha7LJE0DYvSCVg@mail.gmail.com> <ce96173c-e886-4c90-a567-8fd445ed7169@email.android.com> <CAEQGKXTby0hwY+Ttxki1CJ7aimkGOgEuxcGcMw2z_HQt3H0-LQ@mail.gmail.com> <CABkgnnW2MBpBd5inPTj0V0aH69g7JOGuRtAA9o+-hYniEgYGSA@mail.gmail.com> <CAEQGKXQ3bxQKLVLoYxiEkyJ7cG+8RYSyuxHKoNDi=UYkV-rrGA@mail.gmail.com> <4F8BD5B9-0D93-41EC-AC87-2F8519CC0980@iki.fi>
Date: Thu, 17 Jul 2014 00:02:59 +0200
Message-ID: <CAEQGKXSwg+-q09SCfavu_E-Yabh-TGShp1vpjfUwZuFn-woR2Q@mail.gmail.com>
From: Pascal Urien <pascal.urien@gmail.com>
To: =?UTF-8?B?SnVobyBWw6Row6QtSGVydHR1YQ==?= <juhovh@iki.fi>
Content-Type: multipart/alternative; boundary=001a113a2a2ef0ca4704fe56afad
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/avbLWTH-onRkMoys5f3mM9zEdVE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 Application Identifier ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jul 2014 22:03:04 -0000

I believe that TLS 1.3 should work for the next 20 years, in ecosystems
such as IoT or others

And so for future framework, no mandatory means to identify the transported
applications ?. No relationships between certificates and applications ?

TLS 1.3 should be just a security layer, with no links with transported
apps ?

Pascal


2014-07-16 21:49 GMT+02:00 Juho Vähä-Herttua <juhovh@iki.fi>fi>:

> On 16.7.2014, at 22.21, Pascal Urien <pascal.urien@gmail.com> wrote:
> >
> > For me TLS is a transport layer
> >
> > UDP or TCP are transport layers. They identify the transported apps pdu
> by a port number
>
> I'm a bit lost here, as far as I know TLS always works on top of UDP or
> TCP, and therefore the port numbers identifying transported apps apply
> there as well.
>
> > Without a mandatory application identifier the TLS 1.3 will not give by
> default any information on the transported application
>
> It does give information with either the port number, and if e.g. 443 is
> always used for firewall compatibility, then ALPN works.
>
> > I believe that a client certificate should be bound to an application.
>
> Can you give some specific reasoning for this? I don't see anything
> forbidding certificate selection based on ALPN either. Or you can run TLS
> in different TCP ports for different applications.
>
> > If no application identifier is available the client could set it to
> null.
>
> Or it could simply not send the ALPN extension.
>
>
> Juho
>
>