Re: [TLS] consensus on backwards compatibility changes

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Fri, 20 February 2015 19:04 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85A471A0068 for <tls@ietfa.amsl.com>; Fri, 20 Feb 2015 11:04:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQCMOuSAPfx9 for <tls@ietfa.amsl.com>; Fri, 20 Feb 2015 11:04:33 -0800 (PST)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C295B1A0358 for <tls@ietf.org>; Fri, 20 Feb 2015 11:04:32 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id C0C044015; Fri, 20 Feb 2015 21:04:29 +0200 (EET)
Date: Fri, 20 Feb 2015 21:04:29 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Dave Garrett <davemgarrett@gmail.com>
Message-ID: <20150220190429.GA32298@LK-Perkele-VII>
References: <201412300503.03923.davemgarrett@gmail.com> <201502121714.54235.davemgarrett@gmail.com> <54DD6065.8000205@metaparadigm.com> <201502201345.51739.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <201502201345.51739.davemgarrett@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uqzIns4JJXNPKHTex30RXzuSdTU>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 19:04:35 -0000

On Fri, Feb 20, 2015 at 01:45:51PM -0500, Dave Garrett wrote:
> I've made some editorial improvements to PR 107. I've rewritten a few little bits of prior existing text and simplified the sectioning. I've also fixed some section linking. Insecure fallback is now explicitly listed as "NOT RECOMMENDED" as suggested by Michael Clark.
> 
> https://github.com/tlswg/tls13-spec/pull/107/files
> 
> There is one new remaining issue to discuss that was brought up by David Benjamin on GitHub. Essentially, we want to make sure that the wording of what versions are to be used in the record layer is precise, including error cases, such that implementations are consistent here. I'd like to see what the opinion of the list is on the topic.
> 
> Current PR 107 wording for the record layer version field:
> ------------------------------
> TLS clients MUST set this version to { 3, 1 } for the initial ClientHello.
> For the ServerHello and all other TLS records this MUST be equal to the negotiated version.
> ------------------------------
> 
> My current consideration (not yet in PR):
> ------------------------------
> Prior to version negotiation, this value MUST be { 3, 1 }. This includes the ClientHello, records sent during negotiation, and errors aborting the negotiation.
> After version negotiation, this MUST be equal to the negotiated version. This includes the ServerHello and all following records.
> ------------------------------
> 
> I explicitly mention records and errors so as to make sure records in EarlyDataExtension are included. Maybe just call it out by name instead? Anyone think of some better wording here?
> 
> Once we can agree on the wording of this, I think this set of changes should be ready unless someone else has a concern that has not been addressed.
> 

What about HelloRetryRequest?


-Ilari