Re: [TLS] Eric Rescorla's Yes on draft-ietf-tls-record-limit-02: (with COMMENT)
Martin Thomson <martin.thomson@gmail.com> Tue, 03 April 2018 01:21 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58BFC126CBF; Mon, 2 Apr 2018 18:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nVjwBIqIQy5; Mon, 2 Apr 2018 18:21:57 -0700 (PDT)
Received: from mail-ot0-x22d.google.com (mail-ot0-x22d.google.com [IPv6:2607:f8b0:4003:c0f::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EE8A12DA13; Mon, 2 Apr 2018 18:21:54 -0700 (PDT)
Received: by mail-ot0-x22d.google.com with SMTP id 23-v6so17644014otj.0; Mon, 02 Apr 2018 18:21:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=T4UNgQf6oh/SRfHTQDUSKMOlUTn8zYg4hI8lx6L32E0=; b=Y08earhkYuDgx73J5NQ6Mgdxfrvsk58aWd56JJkkBJeGx25vx0JztHzYA0IDM0nzBD accO/3aQr2FGc6QywAoopRh7vW6O53z6r51pGClsKPTVhD1SfMlilVGs1X4S2aaJ8ane i2WIb4eiQwzYTL6RFIRJIXQ8mUpYH7Vefk20RIXfBLe5NVVqmn4POaNCBYaiabgAK0qp smjnVj7hed9BemScKbf/WPsxowcFty6oMwyhkqkS9k/F53I85gX0Kabwuc/IVhvl56Pw 0T4eXdtAd61gNnN8u8ke9HPjxl6FqfiY1/xam0YnX3IAWohjamefO3g4QMTG7P5XXxvT QqnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=T4UNgQf6oh/SRfHTQDUSKMOlUTn8zYg4hI8lx6L32E0=; b=QL6f1+CrG+C/7+1K/mdWJdXAL/1rLs2N+3/Nhz0YAusble2EdPduY/Lom3J+2jKLB/ nlmum5e+NjavG/hHgNWhNm42K1x7K48MahbkcxfMVNkdBdt5sfGB9SxMs/6rjpn8z4qC K32Y3XPG6dY5L14vmkfNVdybKAsJjn71lPNsmn4cDJLezlv7HSll6s90/n7xZZxuU7K1 Plm/FAAKU9NuGQaMtRaXkc91TQNulPThJMkQQOcFgmMY+6gzjiVo1vQ9ea4QRZ+olc2k S8GYyVmbT90SIfi/1QQgNIhqqg+MinfqOCbDsu2wp+hj9hhLkJJmnjrtrNbstxZxlM20 o8Dw==
X-Gm-Message-State: ALQs6tBWirLzLiDFq5cs3kMMe2Fnj7mQ3CLh2Jg1/Mbn0TGio5plXOSQ QfTBCM722gqTWYL6N6FGjEx4IUkCUtNl6SacuQPY5n+M
X-Google-Smtp-Source: AIpwx4+Wund/6qZZuw1jqwqFd/px3GpHiAL4UmmYuxqRvvXXisPfSXRN3MFlETHha41oNUFX57AjvevdL3PhNmM5d3M=
X-Received: by 2002:a9d:2150:: with SMTP id l16-v6mr908613otd.394.1522718513506; Mon, 02 Apr 2018 18:21:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:ac7:0:0:0:0:0 with HTTP; Mon, 2 Apr 2018 18:21:52 -0700 (PDT)
In-Reply-To: <152252471645.19695.5060454044516666979.idtracker@ietfa.amsl.com>
References: <152252471645.19695.5060454044516666979.idtracker@ietfa.amsl.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 03 Apr 2018 11:21:52 +1000
Message-ID: <CABkgnnUaFMky2iAZjLbJ3MSr1JcBbFNxRhxi7zxsa4aabJfq3Q@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tls-record-limit@ietf.org, Sean Turner <sean@sn3rd.com>, tls-chairs <tls-chairs@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mjOhcyd5LNeDI86cXwWl7vFVGYI>
Subject: Re: [TLS] Eric Rescorla's Yes on draft-ietf-tls-record-limit-02: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2018 01:21:59 -0000
Nits are on the editor's copy. https://github.com/tlswg/tls-record-limit/commit/8c6307f63d5c3e34d3da1747fcdfbcc54aa290f6 On Sun, Apr 1, 2018 at 5:31 AM, Eric Rescorla <ekr@rtfm.com> wrote: > This text is a bit confusing. Consider a case where a server recognizes the > extension and has no limit, but the client offers one. > > In that case, the server can either: > > Return an extension with a max-size limit > Not return the extension > I think we want the server to conform to the client's limit in any case, but > "negotiated" is unclear. I think that I was operating on the assumption that both endpoints need to signal that they support the extension, but you are right that the server could omit the extension, but comply anyway. That doesn't seem properly transparent, so, at the cost of 6 octets, I think that we want everything to be clear. I've changed later text as follows: -Clients SHOULD advertise the `record_size_limit` extension, even if they have no -need to limit the size of records. This allows servers to advertise a limit at -their discretion. If this extension is not negotiated, endpoints can send -records of any size permitted by the protocol or other negotiated extensions. +Endpoints SHOULD advertise the `record_size_limit` extension, even if they have +no need to limit the size of records. For clients, this allows servers to +advertise a limit at their discretion. For servers, this allows clients to know +that their limit will be respected. If this extension is not negotiated, +endpoints can send records of any size permitted by the protocol or other +negotiated extensions. Note that while a client that sets a limit might be pleasantly surprised when a server respects its limit, having the extension "negotiated" means that it can treat overlarge records with an error.
- [TLS] Eric Rescorla's Yes on draft-ietf-tls-recor… Eric Rescorla
- Re: [TLS] Eric Rescorla's Yes on draft-ietf-tls-r… Martin Thomson
- Re: [TLS] Eric Rescorla's Yes on draft-ietf-tls-r… Eric Rescorla