IETF Logo Mail Archive

Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 18 February 2022 18:39 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 810AB3A1134 for <tls@ietfa.amsl.com>; Fri, 18 Feb 2022 10:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SY2G_6paUYAk for <tls@ietfa.amsl.com>; Fri, 18 Feb 2022 10:39:41 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2EB23A0E6B for <tls@ietf.org>; Fri, 18 Feb 2022 10:39:40 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 4753E2255E; Fri, 18 Feb 2022 20:39:38 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id yt-PCfVnzJzY; Fri, 18 Feb 2022 20:39:38 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 17A3C7A; Fri, 18 Feb 2022 20:39:36 +0200 (EET)
Date: Fri, 18 Feb 2022 20:39:36 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Kampanakis, Panos" <kpanos@amazon.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <Yg/n6Bie+YfV9HFL@LK-Perkele-VII2.locald>
References: <83f923185c3741ccb668826f5b11b0c3@EX13D01ANC003.ant.amazon.com> <YgoH5/zQS67JgexL@LK-Perkele-VII2.locald> <4a28a1fbfb3445cab4906d6266b3831e@EX13D01ANC003.ant.amazon.com> <YgzfZyXNVpbUjiqu@LK-Perkele-VII2.locald> <9eee53c130274c5497f7899026f22a76@EX13D01ANC003.ant.amazon.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <9eee53c130274c5497f7899026f22a76@EX13D01ANC003.ant.amazon.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rek3DAYwoXUWdcnd7VjC0UsDqtk>
Subject: Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2022 18:39:43 -0000

On Fri, Feb 18, 2022 at 04:47:09AM +0000, Kampanakis, Panos wrote:
> 
> About the tlsflags, make sense. It would simplify things too. The
> impression I got from the old draft-thomson-tls-sic thread and the
> tlsflags draft was that it mandates an acknowledgement. I will
> confirm with Yoav. 

The text in tlsflags looks like it mandates an acknowledgement,
but I think it might be just confusing text.

Regarding actual need for acknowledgement for this flag, I think that
server acknowledging it could be useful so client knows if retrying
without flag could be useful or not.

For the client acknowledging it, I find that much less useful. If
server proposes the extension, it better have exhaustive issuer
list, be using certificates as just holders for raw public keys,
or using certificate fingerprints for identification. Anything
else looks like it is asking for trouble.



-Ilari

v2.23.0 | Report a Bug | By Email