Re: [TLS] Last Call: RFC 2818 (HTTP Over TLS) to Proposed Standard

Eric Rescorla <ekr@rtfm.com> Fri, 01 June 2012 17:29 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF64311E80B4 for <tls@ietfa.amsl.com>; Fri, 1 Jun 2012 10:29:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93+6xmF6mRbM for <tls@ietfa.amsl.com>; Fri, 1 Jun 2012 10:29:32 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4D42C11E8074 for <tls@ietf.org>; Fri, 1 Jun 2012 10:29:32 -0700 (PDT)
Received: by vcqp1 with SMTP id p1so1609431vcq.31 for <tls@ietf.org>; Fri, 01 Jun 2012 10:29:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=eFZCgBdc85AnNyMeGHZzZKslQ9yoAH13a3HF6TOuQRQ=; b=eLHOrWzv+36Zcx8lynSv124862oR65FCLf1JwrZqs4PgVOvDDIZ5ea7cBupglDxE1M BSCFd+ERiNt1/iSiPDBPXpk25C+M9qwBeM/76FgMQM9FbI/mgx0m5XZwjV9gGVoMkMTB Z0Aq2VK5AIOzO5WXZAK5qjiogJBqChw+Dz528Q2hDQ9dToZXoh6FXmWtc16WSVFMVJuu M8L6QJs//eF4/hml6y7GY2b4zPkshxB5N9Av8+Jw14VfARJ7y3j6IulLxrcyQXHseaSK C8CLVapBMZj1NXW/E1COpUwXmkDte4hO6SZ0glDPzr5VYHQktex3sGEuvlOra0/Essdi Z6NA==
Received: by 10.220.154.2 with SMTP id m2mr3357625vcw.2.1338571771555; Fri, 01 Jun 2012 10:29:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.35.209 with HTTP; Fri, 1 Jun 2012 10:28:51 -0700 (PDT)
X-Originating-IP: [74.95.2.169]
In-Reply-To: <h2xiky0n69l6ckp3djjezwJv4X.penango@mail.gmail.com>
References: <20120601164205.25357.54620.idtracker@ietfa.amsl.com> <h2xiky0n69l6ckp3djjezwJv4X.penango@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 Jun 2012 10:28:51 -0700
Message-ID: <CABcZeBMjxzd2NiPYFaTstbMTcZHBXhzDNinWhkETv7tUUtdMBA@mail.gmail.com>
To: Kyle Hamilton <aerowolf@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkYUES3DzaskpricoX0uQARYN5hWt0YXIyhxWE3FY6JUhCIMsuj9x4dPSmdDxlpcCP8Q/Sc
Cc: IESG Secretary <iesg-secretary@ietf.org>, tls@ietf.org, IETF Announcement List <ietf-announce@ietf.org>
Subject: Re: [TLS] Last Call: RFC 2818 (HTTP Over TLS) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2012 17:29:33 -0000

On Fri, Jun 1, 2012 at 10:15 AM, Kyle Hamilton <aerowolf@gmail.com> wrote:
> This is damaging, and I recommend against.  This is something which must be
> handled by HTTP and its demands of its transports, not TLS and its claim to
> support what it thinks its clients want.
>
> Among other things, this RFC more than any other is responsible for the
> "Server Name Indication" requirement.  If it had not been the case, SNI
> would never have been necessary, and IESG/IETF would never have had to deal
> with it.

Huh? As stated in the abstract, RFC 2818 documented what was already
established practice at the time it was published. Yes, that practice
leads directly to SNI, but it's not like it's the fault of 2818.


> I suggest instead that it be moved to HISTORIC, and a 2818bis drafted which
> describes how the various TLS extensions play with HTTP.

I don't understand what that would mean. At the time 2818 was published,
there were already complaints about the HTTPS mechanism (though
primarily directed towards the use of a separate port) and the IETF
took a stab at trying to define a protocol that it liked better (2817).
That was hardly a success. It's hard to believe that we're going to
make fundamental architectural changes now, given that HTTPS
is far more entrenched.

-Ekr