[TLS] Request for review: Next Protocol Negotiation Extension

Adam Barth <ietf@adambarth.com> Mon, 16 August 2010 17:07 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id BC04C3A6901 for <tls@core3.amsl.com>; Mon, 16 Aug 2010 10:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id IUlLeS98ZbQd for <tls@core3.amsl.com>; Mon, 16 Aug 2010 10:07:38 -0700 (PDT)
Received: from mail-ew0-f44.google.com (mail-ew0-f44.google.com []) by core3.amsl.com (Postfix) with ESMTP id 9FD023A6846 for <tls@ietf.org>; Mon, 16 Aug 2010 10:07:38 -0700 (PDT)
Received: by ewy22 with SMTP id 22so2747381ewy.31 for <tls@ietf.org>; Mon, 16 Aug 2010 10:08:14 -0700 (PDT)
Received: by with SMTP id y51mr4574028web.85.1281978493618; Mon, 16 Aug 2010 10:08:13 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com []) by mx.google.com with ESMTPS id v44sm3436646weq.28.2010. (version=SSLv3 cipher=RC4-MD5); Mon, 16 Aug 2010 10:08:12 -0700 (PDT)
Received: by pvg7 with SMTP id 7so2298062pvg.31 for <tls@ietf.org>; Mon, 16 Aug 2010 10:08:10 -0700 (PDT)
Received: by with SMTP id j6mr4841115wfb.55.1281978490254; Mon, 16 Aug 2010 10:08:10 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 16 Aug 2010 10:07:49 -0700 (PDT)
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 16 Aug 2010 10:07:49 -0700
Message-ID: <AANLkTi=5H_0hGzxMmfNU0hLS=5psW6J3c2to756OT--7@mail.gmail.com>
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [TLS] Request for review: Next Protocol Negotiation Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2010 17:07:39 -0000

TLS experts,

As some of you may be aware, the HyBi working group is considering use
a TLS extension has part of the WebSockets protocol [1].  I believe
the extension has been mentioned on this list before, but as there is
now renewed interested in its use, now might be a good time for this
working group to look over the extension and provide feedback.

The extension, called Next Protocol Negotiation, adds information to
the TLS handshake to let the client and server agree on which protocol
they will speak over the encrypted tunnel once the handshake
completes.  In some sense, this extension is to TLS what ports are to
TCP: it allows multiplexing a number of protocols over a single
listening endpoint (in the case of TLS, a TCP port, in the case of
TCP, an IP address).

The HyBi working group is interested in Next Protocol Negotiation
because it has two properties:

1) It allows servers to multiplex HTTPS and WebSockets over the same
listening port (typically 443).
2) After completing the TLS handshake (with the extension) both
parties are guaranteed that the other party intends to speak
WebSockets over the encrypted tunnel.  (This property is important to
avoid cross-protocol vulnerabilities, which I can elaborate on if
you're not familiar with that class of vulnerability.)

The current Internet-Draft is located here:


I look forward to receiving your feedback.

Kind regards,

[1] http://trac.tools.ietf.org/wg/hybi/trac/ticket/14