Re: [TLS] TLS 1.3 Application Identifier ?

Alyssa Rowan <akr@akr.io> Wed, 16 July 2014 09:17 UTC

Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90E771B2878 for <tls@ietfa.amsl.com>; Wed, 16 Jul 2014 02:17:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WDcStIU15JHp for <tls@ietfa.amsl.com>; Wed, 16 Jul 2014 02:17:14 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19B671A0368 for <tls@ietf.org>; Wed, 16 Jul 2014 02:17:13 -0700 (PDT)
User-Agent: K-9 Mail for Android
In-Reply-To: <CAEQGKXRhAh2BvwY0xCCf-BN6kh37_athgYQ+Ha7LJE0DYvSCVg@mail.gmail.com>
References: <CAEQGKXRhAh2BvwY0xCCf-BN6kh37_athgYQ+Ha7LJE0DYvSCVg@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: Alyssa Rowan <akr@akr.io>
Date: Wed, 16 Jul 2014 10:17:09 +0100
To: "tls@ietf.org" <tls@ietf.org>
Message-ID: <ce96173c-e886-4c90-a567-8fd445ed7169@email.android.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/rewslpOGUvYBDJU86lvRPwZ7JrA
Subject: Re: [TLS] TLS 1.3 Application Identifier ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jul 2014 09:17:15 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 16 July 2014 09:32:31 BST, Pascal Urien <pascal.urien@gmail.com> wrote:

>It seems there is no identifier for the application SDU transported by
>TLS
>1.3 (which is obviously a transport protocol)
>
>With the legacy TLS, the application is identified by a TCP or UDP
>port.
>Some TLS extensions have been proposed to solve this issue.

Perhaps I am misunderstanding: are you not describing ALPN? It seems what you want is an ALPN identifier for your protocol, am I correct?

ALPN seems to be proposed as the preferred way to do this for 1.3, is my understanding.

There are obvious metadata concerns involving an untrusted intermediary identifying and demultiplexing different applications transported over TLS (current ALPN is plaintext) and ways to address this are being explored by the WG (although this has tension with those who run large-scale traffic balancers which would prefer to avoid doing crypto for both scale and key security reasons; I'm not sure that can be cleanly resolved in a privacy-preserving manner which satisfies everyone).

- --
/akr
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI3BAEBCgAhBQJTxkMVGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
jtkWi2t6KOoP/jnvQ4WhOW1/1U1AeFn8p/y3qlaBEelH04jasu3PClTNk8c2ddGx
ICv6rE1rv8xIA6m1LrqG5kUVqctnUq2JuH6G6FRg2cu8N7QkImaIIZXZzgpmIXmW
wVTCQ+RN4kmpsYMwdd+ZcwHVORbu09lnG9MI+Bt3Ybv2ck1NLjVz5+o0Iai6HOwu
S0zMl8cjB2husFluuUUkt4Rk56l415hQf8VF4I4zHkIYcx5b5DHBrZRD+COCCuKO
kqzeDSl09HVAGYQfkf1WzubUpq501mi39uHvFAY/NYrY51/e6g0fDQavd795bxXT
rldVix9o8Y6CXSBkK/aKTMgvhoa5GCiBRE3zOAYuSZbpvTUbWwLFDHASkasnQCo1
yyDgGJXuY8P0dWMKQ0ufOmJ7AgLJnp8EaqjWY1BXAticEPPhQYAtY9oMriuyzd2p
rw7HkHmIwpCb0Cqu705jFSY+x0F3R+QvhDdGg2jHQIxCUF+2L81oD4n/ekqRZK/n
B1CkATZoxq4mLHS7rPDLU9HNqRHbhkkUSFmpiE+4KIIarNRfUp+tJzZtAvazo5hw
iDY+IvQ8mWpUCvvL95LwSSWE4D4PPDMCltcT/6HSBT1080BtaU+r+5HeSAaQRsSq
94EtgkuczqRbQjvvgc1nqe11ZK3MZx+RQI9+Qu3r1i3151yV/qPczonh
=x0a+
-----END PGP SIGNATURE-----