Re: [TLS] Proposed change in TLS-Flags

Yoav Nir <ynir.ietf@gmail.com> Wed, 01 July 2020 04:03 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1622E3A0B37 for <tls@ietfa.amsl.com>; Tue, 30 Jun 2020 21:03:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 795m3MqFYugK for <tls@ietfa.amsl.com>; Tue, 30 Jun 2020 21:03:51 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45EBF3A0B33 for <tls@ietf.org>; Tue, 30 Jun 2020 21:03:51 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id w6so22991730ejq.6 for <tls@ietf.org>; Tue, 30 Jun 2020 21:03:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=oMqFG9hINBSntuDZON/7pPJ3QGtgnPmbfzXBUiWgNnw=; b=E8findABwqF33lcpDkTSB7HYoBWyWE30bGjO/PVcogYGljiOHZDiKX9+Nw80b2EHpE 9xKdu6JJwl4/SNb/3XcDOGwgmYs4cXytrAHBpKoinTiDXTz8qx9KwBKYLMbpBdPtubOM 1p+4+X7wDcXhKMdqTZ4Lk4QQ0pEgaHcvNYIa1uUkbKKP2wsRx9UBIACJheRPOvwxqKiF dKyubPRjYbXJ42IWqARe7LkRlCUderZfWqJeWZN2g5CL5ur3gDhHp9JrfBlYchFfwCHo 0SWuD73KBahTZ9HP/cyiVqUMiQnMWXQLHBsOuc4Zfi0Vsd6gIbodOWyhHZhUwdJ805v3 GL2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=oMqFG9hINBSntuDZON/7pPJ3QGtgnPmbfzXBUiWgNnw=; b=TsiN3rbWBGgIdd9pdZNaPSjAxRDM9ZFEzB9doBMakB9Qjw1D1RAzT3nazjh/O0/AAz FDcnGkJwXgi9gi9b2icvPy3oB5AhA6xOSB5y1ZGoJH8eUwt3BzpTcKzlRfeUTkda/n24 EREeHqfTFw7sE7uATCxZ1OaUcUzYjwXnqqY8ZUlNG4hMxa2UFVROpG6vcJd6vDULPV8O dhR/pCukPDx1XAwCBrpH0SIY8Rfvdkoyzh89aFSXAhTtDo5M3zMlXuFgGtx2rOO59/oy BV5B1D3N2OttVnD8iPBUeMlChCW2Dl4kD7hrN9qtYC87t/kFo3B0zqWRT7vXhn78Rh8R ZWxA==
X-Gm-Message-State: AOAM530RIS9BAW/W4jqzzZ9PiwaqO4HefWkhDSeafesQGCnZTaN+KNWm Pxzc1ZpYlGiz4wj3F1Qu5NM=
X-Google-Smtp-Source: ABdhPJxi+P7etZwJ58Xn9K/Ax9/gkNMKH7X7EF1Il5mY8zaDE4qk0dRRK/2AMvUyBKqZE1xzkZ5/TA==
X-Received: by 2002:a17:906:d92e:: with SMTP id rn14mr22341220ejb.314.1593576229792; Tue, 30 Jun 2020 21:03:49 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id y22sm3565979ejj.67.2020.06.30.21.03.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jun 2020 21:03:48 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <1496E3F4-FB87-46EE-9F76-86C058A55954@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BAFF8F50-205C-4FC0-ADBB-6F6C3C931605"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 1 Jul 2020 07:03:47 +0300
In-Reply-To: <CAPDSy+7Mqn3fnYhUwGzo5tBNMTiBQeoKMcABQ_pzK-y7AhmipA@mail.gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
To: David Schinazi <dschinazi.ietf@gmail.com>
References: <1CAC4193-E0CD-4C29-BC05-CED0617BEE19@gmail.com> <CAPDSy+7Mqn3fnYhUwGzo5tBNMTiBQeoKMcABQ_pzK-y7AhmipA@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jp8on7heWJPP9sP08t1VCwLb5Z0>
Subject: Re: [TLS] Proposed change in TLS-Flags
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 04:03:53 -0000

Yeah, the thread that Nick mentioned.

Also, since there are no such extensions defined in the base TLS 1.3 spec, the server can’t assume that the client knows what either the specific flag means, or the entire flags extension means. 

So suppose we invent some new client authentication scheme for TLS, it does make sense for the server to signal that it supports this so that the client can do. But I don’t think it’s too onerous to require that the client indicate support first.

Yoav

> On 1 Jul 2020, at 2:30, David Schinazi <dschinazi.ietf@gmail.com> wrote:
> 
> Hi Yoav,
> 
> Could you elaborate on the rationale for this change please?
> I was assuming that the ability for servers to send extensions not requested by clients was useful.
> 
> Thanks,
> David
> 
> On Mon, Jun 29, 2020 at 2:34 PM Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> wrote:
> Hi
> 
> I’ve just submitted the following PR:
> 
> https://github.com/tlswg/tls-flags/pull/4 <https://github.com/tlswg/tls-flags/pull/4>
> 
> Three changes:
> It is no longer allowed to send an empty flags extension.  If you don’t support any flags, don’t send the extension.
> The server is no longer allowed to respond with flag types that the client didn’t indicate support for first.
> I’ve split the extension description section into a format section and a rules section
> 
> Please comment. Barring any objections, I’ll merge the PR just before the submission deadline.
> 
> Yoav
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>