Re: [TLS] New Version Notification for draft-friel-tls-over-http-00.txt
Patrick McManus <pmcmanus@mozilla.com> Wed, 01 November 2017 17:17 UTC
Return-Path: <pmcmanus@mozilla.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B50A813F978 for <tls@ietfa.amsl.com>; Wed, 1 Nov 2017 10:17:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.733
X-Spam-Level:
X-Spam-Status: No, score=-0.733 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SORBS_SPAM=0.5, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Xvm_c_Ri5n1 for <tls@ietfa.amsl.com>; Wed, 1 Nov 2017 10:17:18 -0700 (PDT)
Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id EFD9F13F971 for <tls@ietf.org>; Wed, 1 Nov 2017 10:17:17 -0700 (PDT)
Received: from mail-lf0-f53.google.com (mail-lf0-f53.google.com [209.85.215.53]) by linode64.ducksong.com (Postfix) with ESMTPSA id 2F8FF3A7DD for <tls@ietf.org>; Wed, 1 Nov 2017 13:17:15 -0400 (EDT)
Received: by mail-lf0-f53.google.com with SMTP id l23so3308853lfk.10 for <tls@ietf.org>; Wed, 01 Nov 2017 10:17:15 -0700 (PDT)
X-Gm-Message-State: AJaThX7mSeZcN9yHN0UDdjZBB5viO9Cdq7mVZiIBY9Jyl7PpnvFItfRT zMifVIktI0+xCjGjtFoNTAm9DKn2/XHCmVKPV2g=
X-Google-Smtp-Source: ABhQp+QF5220CdF8LSjKnD6Uivc8bA3c0YpHBvUTx/RSyqqs8QmNwJU8QsLedBP1j3LiD4WwJJQa9CM20LFUt/k0jxA=
X-Received: by 10.25.84.134 with SMTP id b6mr180796lfl.168.1509556632738; Wed, 01 Nov 2017 10:17:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.21.22 with HTTP; Wed, 1 Nov 2017 10:17:11 -0700 (PDT)
In-Reply-To: <6d448c71-8585-be88-302d-feee7e098ac9@cs.tcd.ie>
References: <150939282345.7694.10153977158870845060.idtracker@ietfa.amsl.com> <CAL02cgRS715Vc+4_QNDSNBW8LP1f-Rmp0FW9W_pyHHpAnkX7Sg@mail.gmail.com> <2f5fba1a-2ee4-4881-7df1-b925a4468fba@cs.tcd.ie> <9989a0aee6784a7ba96bda23cf51d69b@XCH-RCD-012.cisco.com> <6d448c71-8585-be88-302d-feee7e098ac9@cs.tcd.ie>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 01 Nov 2017 18:17:11 +0100
X-Gmail-Original-Message-ID: <CAOdDvNoUT-+j+E9p2exxFFW8s-8-N=mA8u=3HbpendjxkYjOAw@mail.gmail.com>
Message-ID: <CAOdDvNoUT-+j+E9p2exxFFW8s-8-N=mA8u=3HbpendjxkYjOAw@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "Owen Friel (ofriel)" <ofriel@cisco.com>, Richard Barnes <rlb@ipv.sx>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1cdec0dd06a3055cef0a50"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fcS9uBGL0rAx728IAFellJycVrA>
Subject: Re: [TLS] New Version Notification for draft-friel-tls-over-http-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 17:17:28 -0000
Some feedback, in no particular order: * have a hard think about handshake/termination loads. istm this scheme devolves pretty quickly to a termination per object HTTP/1.0 style so you'll be fairly quickly looking to do some kind of multiplexing and reuse on top of it for the same reasons HTTP evolved that way. as an alternative - HTTP/2 inside of a CONNECT tunnel (e.g. HTTP/2 on one stream of an HTTP/2 session) is something browsers already do and may be a carrot worth chasing if you want to give up on the dream of just deploying js into the current environment. * read the current websockets over http/2 thread on httpbis with an eye to the discussion about CONNECT vs (a hypothetical) TUNNEL. There are some similarities to the discussion here. * also take a look at https://tools.ietf.org/html/dr aft-nottingham-bcp56bis-00 (to be adopted imminently by httpbis) - for general foo over http guidance. In particular note that requiring particular behavior from http response codes beyond what is already defined (adding semantics) is called out as a practice to be avoided. * I don't really understand how s->c data flows other than as a reply to client data. hanging get? polling? push? * istm you are using http as a reliable messaging layer. That 'reliable' part might get you into trouble.. various events can cause an http transaction to fail and I'm not sure how you recover that state without record number etc.. Is there room for a off path malicious actor to disrupt your stream state (e.g. send a get with your session ID to get a few bytes of ciphertext - which means you never get them?)? Perhaps this works better as a more generic "datagram over http" framework which you can obviously run some form of reliable stream and tls (and http) on top of. why is a tls record the best scope here? On Tue, Oct 31, 2017 at 10:26 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie > wrote: > > Hi Owen, > > On 31/10/17 21:03, Owen Friel (ofriel) wrote: > >> Interesting. One bit puzzles me: wouldn't the new content-type > >> give the game away and cause middleboxes to block this? > >> > >> S. > >> > > [ofriel] The intention isn’t to try and obscure the fact that there > > is an ATLS session. Even if that new content-type was not defined, > > it would be easy to write a simple pattern match script on the > > middlebox to identity the JSON body and leading base64 bytes of the > > TLS records in the body. > > So that leaves me puzzled still, sorry. > > I can't think of a situation with a middlebox that isn't ok > with the client doing proper TLS but is ok with ATLS. > > Can you give an example of such a situation? > > In case it helps, I can imagine that some middleboxes won't > (yet) know about this and will let it through for a while, > but that seems fairly brittle. So, I'd have thought it may > be worthwhile trying to hide what's what here if you want > it to be robust against an antagonistic middlebox or censor. > But maybe you guys analysed that already and figured it'd > not work. (Which brings me back to "puzzled":-) > > Cheers, > S. > > > > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- Re: [TLS] New Version Notification for draft-frie… Richard Barnes
- Re: [TLS] New Version Notification for draft-frie… Ben Schwartz
- Re: [TLS] New Version Notification for draft-frie… Richard Barnes
- Re: [TLS] New Version Notification for draft-frie… Richard Barnes
- Re: [TLS] New Version Notification for draft-frie… Ben Schwartz
- Re: [TLS] New Version Notification for draft-frie… Stephen Farrell
- Re: [TLS] New Version Notification for draft-frie… Richard Barnes
- Re: [TLS] New Version Notification for draft-frie… Mark Nottingham
- Re: [TLS] New Version Notification for draft-frie… Ben Schwartz
- Re: [TLS] New Version Notification for draft-frie… Owen Friel (ofriel)
- Re: [TLS] New Version Notification for draft-frie… Owen Friel (ofriel)
- Re: [TLS] New Version Notification for draft-frie… Ben Schwartz
- Re: [TLS] New Version Notification for draft-frie… Stephen Farrell
- Re: [TLS] New Version Notification for draft-frie… Patrick McManus
- Re: [TLS] New Version Notification for draft-frie… Owen Friel (ofriel)
- Re: [TLS] New Version Notification for draft-frie… Alex C
- [TLS] Layered TLS ... was Re: New Version Notific… Hannes Tschofenig
- Re: [TLS] Layered TLS ... was Re: New Version Not… Salz, Rich
- Re: [TLS] Layered TLS ... was Re: New Version Not… Hannes Tschofenig
- Re: [TLS] New Version Notification for draft-frie… Hannes Tschofenig
- Re: [TLS] New Version Notification for draft-frie… Yoav Nir
- Re: [TLS] New Version Notification for draft-frie… Peter Saint-Andre
- Re: [TLS] New Version Notification for draft-frie… Alex C
- Re: [TLS] New Version Notification for draft-frie… Hannes Tschofenig