Re: [TLS] Accepting that other SNI name types will never work.

"Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com> Fri, 04 March 2016 09:51 UTC

Return-Path: <thomas.fossati@nokia.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F5E11B3599 for <tls@ietfa.amsl.com>; Fri, 4 Mar 2016 01:51:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ksAxchgIPNrN for <tls@ietfa.amsl.com>; Fri, 4 Mar 2016 01:51:32 -0800 (PST)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2453B1B3598 for <tls@ietf.org>; Fri, 4 Mar 2016 01:51:32 -0800 (PST)
Received: from fr712umx4.dmz.alcatel-lucent.com (unknown [135.245.210.45]) by Websense Email Security Gateway with ESMTPS id D67CBEE490BF1; Fri, 4 Mar 2016 09:51:28 +0000 (GMT)
Received: from fr712usmtp2.zeu.alcatel-lucent.com (fr712usmtp2.zeu.alcatel-lucent.com [135.239.2.42]) by fr712umx4.dmz.alcatel-lucent.com (GMO-o) with ESMTP id u249pUFo025322 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 4 Mar 2016 09:51:30 GMT
Received: from FR711WXCHHUB01.zeu.alcatel-lucent.com (fr711wxchhub01.zeu.alcatel-lucent.com [135.239.2.111]) by fr712usmtp2.zeu.alcatel-lucent.com (GMO) with ESMTP id u249mn8b017062 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 4 Mar 2016 10:51:14 +0100
Received: from FR711WXCHMBA08.zeu.alcatel-lucent.com ([169.254.4.130]) by FR711WXCHHUB01.zeu.alcatel-lucent.com ([135.239.2.111]) with mapi id 14.03.0195.001; Fri, 4 Mar 2016 10:03:54 +0100
From: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] Accepting that other SNI name types will never work.
Thread-Index: AQHRdX12Q+nwt3mZlUq33/gRSAaAQ59IzOaAgAABGACAABnpAIAABeKA
Date: Fri, 4 Mar 2016 09:03:53 +0000
Message-ID: <D2FEFD67.60862%thomas.fossati@alcatel-lucent.com>
References: <CAMfhd9WNHqfRH=M=_B7_apJ-r43fi8qoe-+VcDkrKPwwhkPR5A@mail.gmail.com> <D2FEE434.6084F%thomas.fossati@alcatel-lucent.com> <D2FEE4F6.60852%thomas.fossati@alcatel-lucent.com> <CABkgnnW93FpW5ZaoMuaEz=CJwsQ25Kxyi_fE6QKzU6v_VSvbxw@mail.gmail.com>
In-Reply-To: <CABkgnnW93FpW5ZaoMuaEz=CJwsQ25Kxyi_fE6QKzU6v_VSvbxw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.1.160122
x-originating-ip: [135.239.27.39]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C4FEE400C61D87499DFC653974FC2B6F@exchange.lucent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/eU18HUqwJ3L2yz7DpfhGkZALmAc>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Accepting that other SNI name types will never work.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2016 09:51:33 -0000

On 04/03/2016 08:42, "TLS on behalf of Martin Thomson"
<tls-bounces@ietf.org on behalf of martin.thomson@gmail.com> wrote:

>On 4 March 2016 at 18:10, Fossati, Thomas (Nokia - GB)
><thomas.fossati@nokia.com> wrote:
>> In CoRE we might need to allocate a new SNI NameType for non-DNS host
>> names [1].
>>
>> Removing SNI extensibility would make it unfeasible.
>
>Not at all.

It would, the way it is formulated at the moment.  But that doesn't
matter, we can change it to whatever as long as we can make it work.


>Define a new extension.  We have evidence that that works.

That can be done, of course.  Although it strikes me as odd to add another
extension given the exact same facility is already in place.

There are various ways SNI can be tightened other than removing the
parametrisation on NameType, e.g. limiting the number of ServerName
entries to 1.