Re: [TLS] renego, patricide, putting out to stud, etc.

Marsh Ray <> Fri, 01 January 2010 01:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4C12D3A686D for <>; Thu, 31 Dec 2009 17:42:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.585
X-Spam-Status: No, score=-2.585 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qciF6a722q7O for <>; Thu, 31 Dec 2009 17:42:40 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7DF0C3A680A for <>; Thu, 31 Dec 2009 17:42:40 -0800 (PST)
Received: from ([]) by with esmtpa (Exim 4.68) (envelope-from <>) id 1NQWWx-0008KT-Go; Fri, 01 Jan 2010 01:42:19 +0000
Received: from [] (localhost []) by (Postfix) with ESMTP id 39BEF6678; Fri, 1 Jan 2010 01:42:18 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: U2FsdGVkX1+xK8m3Yf7fVSgY03nb+Qf6wYQNWQ4FwR4=
Message-ID: <>
Date: Thu, 31 Dec 2009 19:42:18 -0600
From: Marsh Ray <>
User-Agent: Thunderbird (Windows/20090812)
MIME-Version: 1.0
To: Ravi Ganesan <>
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] renego, patricide, putting out to stud, etc.
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Jan 2010 01:42:41 -0000

Ravi Ganesan wrote:
> [...]
> But of course I am biased, I feel it is limiting to use words that limit
> TLS to "sockets" or "connections", needlessly.

The TLS spec doesn't use the term "socket" anywhere.

> For instance  what does
> a connection mean if the binding is not TCP?

A TLS connection is pretty fundamental.

>From the application layer's perspective, the connection is a conduit
through which it may send and receive application data with the benefit
of the security guarantees of TLS.

At the TLS record layer, a connection is a sequence of TLS records with
consistent framing, record sequence numbers, MAC and crypto params.

TLS needs to ride on some reliable and ordered transport, but it doesn't
 have to be TCP. A few places in the TLS spec say certain errors must
"terminate the connection", but it can't really mandate the behavior of
lower levels. (E.g., an application using starttls could drop back to
the unencrypted protocol rather than actually closing the TCP connection).

- Marsh