Re: [TLS] WGLC for draft-ietf-tls-flags
Michael StJohns <msj@nthpermutation.com> Sun, 18 July 2021 23:26 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA1743A14E0 for <tls@ietfa.amsl.com>; Sun, 18 Jul 2021 16:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cBzhQuZM-kuY for <tls@ietfa.amsl.com>; Sun, 18 Jul 2021 16:26:58 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDEA63A14D6 for <tls@ietf.org>; Sun, 18 Jul 2021 16:26:57 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id c68so10329719qkf.9 for <tls@ietf.org>; Sun, 18 Jul 2021 16:26:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=mdHafn2NMMoBe32okXiCYksCE/s5Lq3aijv9C+k0CjM=; b=SrFvHLTVDID8pQpOaixk49Tja8gFqaR63ISSCcrvHZJsqOnvhgET/hrBmfdzoDuxwc u97VeZ6yVtQr6xb8sL7HeRGOrHGI9/Mx9x1AX/i1+JZLeSA5XBG8kIwHgrSi7gY5LLN6 SMYsvzge1kfGc3nhH2WlMBdoIa8NvJoYIWuPG8QLCwFfmpgq6OKsNhp7mQSm/bxDQnRZ KHglYwbgcI8Xnd2/A5Lf5vSjxF2TIiH/cLdRthnlgbgLT/XwDGsdlzwdKYOsdxRVJCRQ MRczhiqBC3kkdIbGH1yoCCYNqPQ0zCH8kvwcvcVaZyfe0dVI9YpjjoZNhredqUTMJd0x MzDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=mdHafn2NMMoBe32okXiCYksCE/s5Lq3aijv9C+k0CjM=; b=ZOqeqUdWJGXcMzkK5ABBT/1y6NjkWm7hOrnccCv42uYP8b/UG0FNA7XdBZjNaH7+WL 7DNxcuNlp/wtV1VQ1PAwxFGpWRnvOUGMn0qDHSjSpLgDovBrDm6eBYminBOqnEmjYuIs jnbdSDWDBw4JOibqQ7BUA3nMi6kbaI3Zw7Vs4fomVjjwQnQNPd7zKM+nj8WjS7ZgAInU YiDX5rB5+40KpQsgehQkTeArajvUJ1jdflhCDbhaVVJizk5k3/eK59Y4JYtCYMuC5BBp B63j6bU+ubqIbXRTnt9Y4WbBT9PohERF80AAyjpJIP1+XJTjRge0g8SWwWPkC8+0ksaP PeJQ==
X-Gm-Message-State: AOAM532H60EEv2oDKJxeQEAt2rF2QGbYStL5Z+bzMCEcAAFjLim18073 gO+YedD/xNCOGVqXmR+zC0F3x+Rg+O/jfl+NG2c=
X-Google-Smtp-Source: ABdhPJy08juVLv0WFdH9VGS1NlMnhklCY6bxQuWtKzShotxsHH9FFbCiDOToZetBxpxfAwx/GI8TqQ==
X-Received: by 2002:a37:9cf:: with SMTP id 198mr982856qkj.60.1626650814633; Sun, 18 Jul 2021 16:26:54 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-51-200-187.washdc.fios.verizon.net. [108.51.200.187]) by smtp.gmail.com with ESMTPSA id h13sm7318122qkg.13.2021.07.18.16.26.53 for <tls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 18 Jul 2021 16:26:53 -0700 (PDT)
To: tls@ietf.org
References: <08c558b7-2215-4924-b6a4-807b9b3c8d84@www.fastmail.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <7fdb8ccb-6102-beea-69df-cd2aba1dbdd4@nthpermutation.com>
Date: Sun, 18 Jul 2021 19:26:52 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <08c558b7-2215-4924-b6a4-807b9b3c8d84@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/b0rg-Jl6TbeV13JPzvvqFsMEW9k>
Subject: Re: [TLS] WGLC for draft-ietf-tls-flags
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jul 2021 23:27:00 -0000
On 7/16/2021 7:55 PM, Christopher Wood wrote: > This is the second working group last call for the "A Flags Extension for TLS 1.3" draft, available here: > > https://datatracker.ietf.org/doc/draft-ietf-tls-tlsflags/ > > Please review this document and send your comments to the list by July 30, 2021. The GitHub repository for this draft is available here: > > https://github.com/tlswg/tls-flags > > Thanks, > Chris, on behalf of the chairs > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls Hi - I have not followed the discussion of this document on the mailing list so this review is only against the document itself. It's possible that these concerns have already been discussed. Section 2 requires (MUST) the generation of fatal illegal_parameter alert upon reception of a mal-encoded extension (e.g. any trailing zero bytes), but compare and contrast this with section 3 which is full of MUST and MUST NOT declarations but with no concrete actions to be taken. E.g. if I (server or client) send 0x01 0x10, and receive 0x01 0x11 from the client or server, wouldn't that be an illegal value as I've added a bit not sent to me? Should that cause the same fatal illegal_parameter alert? Alternately, "receiver MUST ignore received bits that weren't sent" language could clean this up. Section 4 is a bit painful to read in that it took me three read-throughs to understand that what the document is asking for is a monolithic registry which requires "expert review" for all registrations, but where the experts are responsible for the sub range determinations. Usually, that's not the way the IANA works. If a registry has distinct set of ranges, each range normally has a specific registration procedure that the IANA follows before placing a parameter in that registry. I'd strongly suggest reviewing RFC 8126 and chatting with the IANA to see if its possible to reform the registration process along more normal IANA lines. E.g.: 0-7 - Standards Action and Expert Request 8-31 - Standards Action 32 - 63 Specification Required or IETF Review (pick one) 64-79 Private Use 80-127 RFU or Expert Review 128-2039 First Come First Served Absent these two points, the rest of the content looks good. I'd recommend a draft pass to fix these two items. Later, Mike
- [TLS] WGLC for draft-ietf-tls-flags Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-flags Watson Ladd
- Re: [TLS] WGLC for draft-ietf-tls-flags Michael StJohns
- Re: [TLS] WGLC for draft-ietf-tls-flags Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-flags Yoav Nir
- Re: [TLS] WGLC for draft-ietf-tls-flags Yoav Nir
- Re: [TLS] WGLC for draft-ietf-tls-flags Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-flags Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-flags StJohns, Michael
- Re: [TLS] WGLC for draft-ietf-tls-flags Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-flags Christopher Wood