[TLS] protocol registry issues (was SPDY / NPN)
Patrick Pelletier <code@funwithsoftware.org> Sat, 21 April 2012 00:29 UTC
Return-Path: <code@funwithsoftware.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B875711E809A for <tls@ietfa.amsl.com>; Fri, 20 Apr 2012 17:29:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.51
X-Spam-Level:
X-Spam-Status: No, score=-0.51 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, J_CHICKENPOX_65=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tROi4+cqJMv9 for <tls@ietfa.amsl.com>; Fri, 20 Apr 2012 17:29:55 -0700 (PDT)
Received: from asbnvacz-mailrelay01.megapath.net (asbnvacz-mailrelay01.megapath.net [207.145.128.243]) by ietfa.amsl.com (Postfix) with ESMTP id D0FBD11E8095 for <tls@ietf.org>; Fri, 20 Apr 2012 17:29:54 -0700 (PDT)
Received: from mail4.sea5.speakeasy.net (mail4.sea5.speakeasy.net [69.17.117.48]) by asbnvacz-mailrelay01.megapath.net (Postfix) with ESMTP id B3B18A7035A for <tls@ietf.org>; Fri, 20 Apr 2012 20:29:53 -0400 (EDT)
Received: (qmail 14090 invoked from network); 21 Apr 2012 00:29:53 -0000
Received: by simscan 1.4.0 ppid: 17908, pid: 28603, t: 1.4488s scanners: clamav: 0.88.2/m:52/d:10739 spam: 3.0.4
Received: from dsl017-096-185.lax1.dsl.speakeasy.net (HELO [192.168.11.2]) (ppelleti@[69.17.96.185]) (envelope-sender <code@funwithsoftware.org>) by mail4.sea5.speakeasy.net (qmail-ldap-1.03) with AES128-SHA encrypted SMTP for <tls@ietf.org>; 21 Apr 2012 00:29:51 -0000
Message-Id: <25D04C83-1FE6-4569-9B5E-9F9D2391D9B8@funwithsoftware.org>
From: Patrick Pelletier <code@funwithsoftware.org>
To: tls@ietf.org
In-Reply-To: <mailman.4302.1334908422.3230.tls@ietf.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 20 Apr 2012 17:29:49 -0700
References: <mailman.4302.1334908422.3230.tls@ietf.org>
X-Mailer: Apple Mail (2.936)
Subject: [TLS] protocol registry issues (was SPDY / NPN)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Apr 2012 00:29:55 -0000
Martin Rex wrote: > The issue with too strict rules is that it may simply get ignored, > and code points be "kidnapped". So overly strict rules can result > in an near complete loss of control over people&ideas whose time has > come. > > "It's easier to ask forgiveness than it is to get permission." It seems that ssh has a better way to handle this "experimental deployment" phase, since it uses strings, and allows domain-qualified private names. (RFC 4250, section 4.6.1) What about an extension that would allow TLS to do a similar thing? The extension would be sent by the client, and would declare its interpretation of "Private Use" numbers, by associating each number with a string. (Which would have the "foo@example.com" format of ssh private names.) Then, if the server understood this extension, it would simply use the Private Use numbers that the client proposed. Once IANA allocates a number, the client can use the IANA-allocated number in its list of number/string pairs, instead of a Private Use number, so that it can interoperate both with servers that support this "number to string" extension but don't yet know about the new IANA number, and also with servers that do know about the IANA- allocated number, but don't support the "number to string" extension. Once enough servers know about the IANA-allocated number, the clients can stop listing it in their "number to string" list, to save space. This would work for any registry which has a "private use" range, which from a quick look at the IANA registry, looks like: TLS Certificate Types, TLS ClientCertificateType Identifiers, TLS Cipher Suites, EC Named Curves, EC Point Formats, EC Curve Types, TLS Supplemental Data Formats, TLS UserMappingTypes, TLS SignatureAlgorithms, TLS HashAlgorithms, TLS Authorization Data Formats, and TLS Compression Method Identifiers. There are some registries which don't have "private use" areas, so IANA would need to allocate a "private use" range in order to use them with this extension. That would include: TLS ContentTypes, TLS Alerts, TLS HandshakeTypes, Heartbeat Message Types, Heartbeat Modes, and ExtensionTypes. It seems like this would be an easy way to avoid the "kidnapping"/"number camping" problem. --Patrick
- [TLS] protocol registry issues (was SPDY / NPN) Patrick Pelletier