IETF Logo Mail Archive

Re: [TLS] Next Protocol Negotiation 03

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 15 November 2012 19:43 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A215921F8A00 for <tls@ietfa.amsl.com>; Thu, 15 Nov 2012 11:43:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.533
X-Spam-Level:
X-Spam-Status: No, score=0.533 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bns6qvqijUv4 for <tls@ietfa.amsl.com>; Thu, 15 Nov 2012 11:43:18 -0800 (PST)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.29]) by ietfa.amsl.com (Postfix) with ESMTP id 3354921F8946 for <tls@ietf.org>; Thu, 15 Nov 2012 11:43:18 -0800 (PST)
Received: from BY2FFO11FD007.protection.gbl (10.1.15.202) by BY2FFO11HUB025.protection.gbl (10.1.14.111) with Microsoft SMTP Server (TLS) id 15.0.556.9; Thu, 15 Nov 2012 19:43:16 +0000
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD007.mail.protection.outlook.com (10.1.14.128) with Microsoft SMTP Server (TLS) id 15.0.556.9 via Frontend Transport; Thu, 15 Nov 2012 19:43:15 +0000
Received: from tx2outboundpool.messaging.microsoft.com (157.54.51.112) by mail.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.2.318.3; Thu, 15 Nov 2012 19:42:45 +0000
Received: from mail220-tx2-R.bigfish.com (10.9.14.247) by TX2EHSOBE006.bigfish.com (10.9.40.26) with Microsoft SMTP Server id 14.1.225.23; Thu, 15 Nov 2012 19:41:18 +0000
Received: from mail220-tx2 (localhost [127.0.0.1]) by mail220-tx2-R.bigfish.com (Postfix) with ESMTP id 0EF53BC01C4 for <tls@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 15 Nov 2012 19:41:18 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT005.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -2
X-BigFish: PS-2(zz98dI9371I146fI1432Izz1de0h1202h1d1ah1d2ahzz8275bhz31h2a8h668h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h9a9j1155h)
Received-SPF: softfail (mail220-tx2: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=Andrei.Popov@microsoft.com; helo=BL2PRD0310HT005.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM;SFS:(299001);DIR:OUT;LANG:en;
Received: from mail220-tx2 (localhost.localdomain [127.0.0.1]) by mail220-tx2 (MessageSwitch) id 1353008476146763_1066; Thu, 15 Nov 2012 19:41:16 +0000 (UTC)
Received: from TX2EHSMHS005.bigfish.com (unknown [10.9.14.245]) by mail220-tx2.bigfish.com (Postfix) with ESMTP id 182E9B800E5; Thu, 15 Nov 2012 19:41:16 +0000 (UTC)
Received: from BL2PRD0310HT005.namprd03.prod.outlook.com (157.56.240.21) by TX2EHSMHS005.bigfish.com (10.9.99.105) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 15 Nov 2012 19:41:15 +0000
Received: from BN1PR03MB069.namprd03.prod.outlook.com (10.255.225.153) by BL2PRD0310HT005.namprd03.prod.outlook.com (10.255.97.40) with Microsoft SMTP Server (TLS) id 14.16.233.3; Thu, 15 Nov 2012 19:41:14 +0000
Received: from BN1PR03MB072.namprd03.prod.outlook.com (10.255.225.156) by BN1PR03MB069.namprd03.prod.outlook.com (10.255.225.153) with Microsoft SMTP Server (TLS) id 15.0.545.9; Thu, 15 Nov 2012 19:41:07 +0000
Received: from BN1PR03MB072.namprd03.prod.outlook.com ([169.254.7.68]) by BN1PR03MB072.namprd03.prod.outlook.com ([169.254.7.106]) with mapi id 15.00.0545.000; Thu, 15 Nov 2012 19:41:07 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Thread-Topic: [TLS] Next Protocol Negotiation 03
Thread-Index: AQHNIlzPyXJEV/H1YEG2j4FhINiIPJarp+EAgAAXsQCAADAaAIE/FnRAgAAqXYCAAAHEsIAAIR+AgAEzNSA=
Date: Thu, 15 Nov 2012 19:41:07 +0000
Message-ID: <f1b53255c1f54773ab92a119c559fe1f@BN1PR03MB072.namprd03.prod.outlook.com>
References: <CAL9PXLy31VzxLidgOy64MnDAyRE=HU=hxyBXW1rgB+Xnd0vKjA@mail.gmail.com> <4F981528.9010903@gnutls.org> <CAL9PXLzWNTxOjRnVPk67anfAkWizagcAsWRWJM3ShY6oWv9PjA@mail.gmail.com> <4F985162.7040405@extendedsubset.com> <f5178418cb4549fea8e210d6a3bc22d1@BN1PR03MB072.namprd03.prod.outlook.com> <CAL9PXLx4Qc_zjDWC2z_Gg-XAZ_VVNtBun9SpHFWe6Fgs=cpYiw@mail.gmail.com> <462d1af8e2f84827abfac376f21d06d2@BN1PR03MB072.namprd03.prod.outlook.com> <7C5DB110-3025-477E-9B59-C7D05C2AEB63@vpnc.org>
In-Reply-To: <7C5DB110-3025-477E-9B59-C7D05C2AEB63@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.255.156.151]
x-forefront-prvs: 0666E15D35
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT005.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%VPNC.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC102.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(52314002)(377454001)(51704002)(24454001)(4396001)(54316002)(76482001)(46406002)(16676001)(49866001)(31966008)(74662001)(6806001)(47736001)(33646001)(53806001)(47976001)(51856001)(54356001)(50986001)(56776001)(46102001)(74502001)(50466001)(47776002)(56816001)(44976002)(5343635001)(47446002)(23726001)(24736002); DIR:OUT; SFP:; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0666E15D35
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Next Protocol Negotiation 03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 19:43:18 -0000

Paul Hoffman [mailto:paul.hoffman@vpnc.org]  wrote:

> On Nov 14, 2012, at 3:30 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote:

> > In those situations where the next protocol negotiation needs to be confidential, one could use TLS renegotiation. Alternatively, the next protocol can be negotiated after exchanging Finished messages, outside of the TLS handshake.

> Renegotiation adds round trips and complexity, as we have seen in this WG. "Outside of the TLS handshake" just pushes this off to layer 7 and forces a change to all application servers and clients to do the negotiation. It seems cleaner to keep this in TLS.

The servers and clients (and/or middleware that they use) will likely need an update anyway, in order to:
1. Enable the TLS-NPN extension;
2. Communicate next protocol options to the TLS layer;
3. Extract the negotiated protocol info from the TLS layer;
4. Switch to the negotiated protocol.

Andrei Popov

v2.23.0 | Report a Bug | By Email