Re: [TLS] TLS 1.3 Application Identifier ?

Watson Ladd <watsonbladd@gmail.com> Fri, 18 July 2014 03:32 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6021A04AC for <tls@ietfa.amsl.com>; Thu, 17 Jul 2014 20:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58j0HP8cSWBN for <tls@ietfa.amsl.com>; Thu, 17 Jul 2014 20:32:46 -0700 (PDT)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7195E1A0452 for <tls@ietf.org>; Thu, 17 Jul 2014 20:32:46 -0700 (PDT)
Received: by mail-yk0-f178.google.com with SMTP id 142so1860792ykq.23 for <tls@ietf.org>; Thu, 17 Jul 2014 20:32:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=JAxO0WzMhs5zUzI+PXgNQsDFVCUdR1f5AWXvPcfHqWg=; b=HEoRcLSmwX0hqs703JzMLL17Xoq1JihEpsXt7s+S3QedfwYl6475ssdA0Jn5VFGrXo 0v6FKtdDOR8HunFZOkiGPdj9vTBBu/+bycTf3C5ZqJ7WRmincC13u8G84hPOyt6mzyxy 79+3cV3bxkImirBrdpHxdZSDDba6M7Gnxc19+kiVwF13GDioFTDaeSZEvGPvmol240ci te8JixjVitcPlz/c6etBAvXrSK6utWFQzsMfLNnJRDMfInBoBczekoShbY8DUfC84uUR z4Sh7rwaNx1j78P74Z+RDxICW5CetZ0nq++KFJMq+ia9XEG5GF8hHvM/09XSenT9HxNR 7ZZA==
MIME-Version: 1.0
X-Received: by 10.236.28.167 with SMTP id g27mr2875078yha.120.1405654365640; Thu, 17 Jul 2014 20:32:45 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Thu, 17 Jul 2014 20:32:45 -0700 (PDT)
In-Reply-To: <CAEQGKXSA5Y=DEWpXXrNhYE8UnrSwen2iqVUSfWNJ3SNfkEuz2A@mail.gmail.com>
References: <CAEQGKXRhAh2BvwY0xCCf-BN6kh37_athgYQ+Ha7LJE0DYvSCVg@mail.gmail.com> <CAOhHAXxdDqhKu1+d4EUx-=yyJqDhX7i2sFjGTAqo0FP9ox7KxQ@mail.gmail.com> <CFED4154.45D24%paul@marvell.com> <CAEQGKXSA5Y=DEWpXXrNhYE8UnrSwen2iqVUSfWNJ3SNfkEuz2A@mail.gmail.com>
Date: Thu, 17 Jul 2014 20:32:45 -0700
Message-ID: <CACsn0cmigM1Y603SNdWah1g7H0kGnmRtB7T+Nhx_aYHPAe2trw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Pascal Urien <pascal.urien@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/j1f2jtgDJzHxnCorezsLlRZ7bSc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 Application Identifier ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jul 2014 03:32:48 -0000

What do you mean by "application identifier"? Is http enough, or
should it be the application on top of http?

What do you need it for? Why does it need to be manadatory: why not
require clients to use ALPN?

If you want to link the client cert to application (what does that
mean?) why can't the ChannelID draft serve your purposes?

On Thu, Jul 17, 2014 at 3:09 PM, Pascal Urien <pascal.urien@gmail.com> wrote:
> Hi All
>
> Finished messages are encrypted. That are produced first by server and
> second by client.
>
> The today semantic (TLS1.3) of these messages is server finished and client
> finished (a cryptographic proof of the knowledge of secrets)
>
> They could be used also to transport protected application identifiers for
> both server and client ?!
>
> Regards
>
> Pascal
>
>
> 2014-07-17 18:05 GMT+02:00 Paul Lambert <paul@marvell.com>om>:
>
>>
>> It may or may not map well into TLS, but in other forums, we’re using a 6
>> octet identifier to describe services (aka applications).
>> It’s formed as a truncated hash of a “service name”
>>
>>        serviceId = SHA256( serviceName )[0:6]
>>
>> It can also be obscured by concatenating the Service Name with a key
>> before creating the identifier.
>>
>> Paul
>>
>>
>> Hi Pascal
>> You may have a look at the following document:
>> http://tools.ietf.org/html/draft-badra-tls-multiplexing-01
>> Or
>> http://tools.ietf.org/html/draft-badra-hajjeh-mtls-06
>>
>> Best regards
>> Badra
>>
>>
>> On Wed, Jul 16, 2014 at 12:32 PM, Pascal Urien <pascal.urien@gmail.com>
>> wrote:
>>>
>>> Hi All
>>>
>>> It seems there is no identifier for the application SDU transported by
>>> TLS 1.3 (which is obviously a transport protocol)
>>>
>>> With the legacy TLS, the application is identified by a TCP or UDP port.
>>> Some TLS extensions have been proposed to solve this issue.
>>>
>>> What about adding a mandatory application identifier in the client hello
>>> message?.
>>>
>>> It could be a two bytes integer (i.e. TCP or UDP port) or something else
>>> such as an application name
>>>
>>> A mandatory application identifier in the client hello message avoids
>>> tentative connections to non-available applications. It also could establish
>>> a logical link between client certificate and applications
>>>
>>> Regards
>>>
>>> Pascal Urien
>>>
>>>
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>
>>
>>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin