Re: Ciphersuite specific extensions (was: Re: [TLS] I-D ACTION:draft-ietf-tls-ecc-10.txt)
Bodo Moeller <bmoeller@acm.org> Wed, 08 June 2005 17:48 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Dg4fg-0007oM-Kt; Wed, 08 Jun 2005 13:48:56 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Dg4fe-0007oH-Qa for tls@megatron.ietf.org; Wed, 08 Jun 2005 13:48:54 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA20814 for <tls@ietf.org>; Wed, 8 Jun 2005 13:48:53 -0400 (EDT)
Received: from moutng.kundenserver.de ([212.227.126.186]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Dg50v-00024T-4R for tls@ietf.org; Wed, 08 Jun 2005 14:10:55 -0400
Received: from S01060030bdc6ced5.cg.shawcable.net [68.147.30.54] (helo=tau.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML29c-1Dg4fU1Ik0-0003OV; Wed, 08 Jun 2005 19:48:44 +0200
Received: by tau.local (Postfix, from userid 500) id 47BDF36274; Wed, 8 Jun 2005 11:48:42 -0600 (MDT)
Date: Wed, 08 Jun 2005 11:48:42 -0600
From: Bodo Moeller <bmoeller@acm.org>
To: tls@ietf.org
Subject: Re: Ciphersuite specific extensions (was: Re: [TLS] I-D ACTION:draft-ietf-tls-ecc-10.txt)
Message-ID: <20050608174841.GA25125@tau.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <EC7D742B33592743BF23DAF2B678DE800EBE56BA@win-msg-01.wingroup.windeploy.ntdev.microsoft.com>
User-Agent: Mutt/1.4i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 2.1 (++)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Sender: tls-bounces@lists.ietf.org
Errors-To: tls-bounces@lists.ietf.org
On Wed, Jun 08, 2005 at 09:40:54AM -0700, Ari Medvinsky wrote: > I like this idea, I think it covers well the ecc cipher suite/curve > mapping problem. Are you proposing then to modify the ecc draft to take > a dependency on the next rev of rfc3546? Yes. I hope that it is agreed to change the TLS Extensions specification like this or similar. The TLS-ECC specification should cite the successor of RFC 3546, thus resolving the issue. (Actually, the TLS-ECC specification already *has* to cite the successor of RFC 3546 because TLS-ECC, if published as an Informational RFC, couldn't define it's own TLS extensions according to RFC 3546. draft-ietf-tls-rfc3546bis-##.txt has weaker requirements so that an Informational RFC can define new extensions.) Bodo [I have copied this message to the other authors of draft-ietf-tls-rfc3546bis-01.txt as well (this is a separate mailing to tls@ietf.org which otherwise complains about "too many recipients"). I'd really like to hear more opinions!] > From: Bodo Moeller [mailto:bmoeller@acm.org] > Sent: Tuesday, June 07, 2005 3:02 PM > To: Ari Medvinsky > Cc: tls@ietf.org; vipul.gupta@sun.com; sblakewilson@bcisse.com; Joshua > Ball; Jeff Spelman; Cristian Ilac; Virginia Robbins > Subject: Ciphersuite specific extensions (was: Re: [TLS] I-D > ACTION:draft-ietf-tls-ecc-10.txt) [...] > I have argued for a general mechanism for ciphersuite-dependent TLS > extensions in the past. That is, instead of having individual > specifications defining TLS extensions provide means of restricting > certain extensions to certain ciphersuites, it would make sense to have > a mechanism that can be applied to all extensions, preferably defined in > the successor of RFC 3456. > > For example, extension type 65535 in the client hello could indicate an > extension with content > > struct { > ExtensionRestriction restriction_list<7..2^16-1>; > } RestrictedExtensions; > > where > > struct { > CipherSuite cipher_suites<2..2^16-1>; > Extension extension_list<1..2^16-1>; > } ExtensionRestriction; > > This would indicate that for each ExtensionRestriction, the listed > extensions apply to the listed ciphersuites only. (The server would > collect applicable extensions from those that appear directly in the > client_hello_extension_list field of ClientHello, and those that appear > in an ExtensionRestriction naming the respective ciphersuite.) > > With pluggable ciphersuites, use of the trusted_ca_keys extension would > likely be restricted to certain ciphersuites as well (if only one of the > plug-ins can make sense of a certain trusted CA certificate, then you > wouldn't want to offer it as a trusted authority for other > ciphersuites). And certainly the client_certificate_url extension would > be ciphersuite-specific. > > What do you (and others, of course) think of this approach? _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- RE: Ciphersuite specific extensions (was: Re: [TL… Ari Medvinsky
- Re: Ciphersuite specific extensions (was: Re: [TL… Bodo Moeller
- [TLS] Ciphersuite specific extensions (Last Call … David Hopwood