Re: [TLS] Questions about ALPN
Michael D'Errico <mike-list@pobox.com> Tue, 15 April 2014 01:02 UTC
Return-Path: <mike-list@pobox.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA3A81A024C for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 18:02:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.273
X-Spam-Level:
X-Spam-Status: No, score=-2.273 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frToVtJsSlgU for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 18:02:11 -0700 (PDT)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by ietfa.amsl.com (Postfix) with ESMTP id A6ABA1A06AA for <tls@ietf.org>; Mon, 14 Apr 2014 18:02:09 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id ABB5711D79; Mon, 14 Apr 2014 21:02:06 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=x0TAa4idele9 uRjdthjWTC8ikmw=; b=Hx3bXbdRTOKvGmA0rHh9hmau6gfmkKSdHDjZFtOirf8X pxkBbl7GQNAqOJT6N/WiLiyNN+j2n1GplehuTblOwIF3YFFaoOY14nZApG7huEQw 5G4roSdSqRjb1Bvzd1h7fF8r3akygCLYPq8dvocihUvz09ahU6qVvY4hGKqli4g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=FC6PTF 0eCvx2oDDpODGY5GdkL573SKkFCq7sffXyzW4O6CZ72OuJTlggPWS8z4d8ceId0f 4mGKqRcRNaT6Nmd/mYRMx4dgZhMAuFRBZOGC4voa7eTRBNBd2ATINniJ5spLFDKq qgrsS7Sl4oz+YPbrN8aml07qRgglnZJ4JbnIE=
Received: from a-pb-sasl-quonix.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id A460811D78; Mon, 14 Apr 2014 21:02:06 -0400 (EDT)
Received: from iMac.local (unknown [24.234.153.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id 0BB6E11D76; Mon, 14 Apr 2014 21:02:04 -0400 (EDT)
Message-ID: <534C850B.1030505@pobox.com>
Date: Mon, 14 Apr 2014 18:02:03 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
References: <53456D1B.1010804@alum.mit.edu> <4bf0dffe7f4e475abf38f1e14e09388e@BL2PR03MB419.namprd03.prod.outlook.com> <CABkgnnUPM=AQTk6y2juQoEcPksNWSTCkgPe4846FWDwm5waxPQ@mail.gmail.com> <e01a57761d5d4776968b0d26e86b44b9@BL2PR03MB419.namprd03.prod.outlook.com> <CABkgnnUSU_R2DmCjLV2FPFVX4TCfOfFEZ7ta5bVdakc3bsVkZA@mail.gmail.com> <53459638.50309@alum.mit.edu> <f6cfbd996c9c4456bcfb2fbec10f9f13@BL2PR03MB419.namprd03.prod.outlook.com> <53459E6B.4030900@alum.mit.edu> <5c4a4616b1d34efbb85643d1f26e5410@BL2PR03MB419.namprd03.prod.outlook.com> <CABkgnnX7W8axLhhVg1wUmaUSmHZ_0F+=0ypKC=sN4utp9iD04g@mail.gmail.com> <719f0ee665324b929a0da56e127588fe@BL2PR03MB419.namprd03.prod.outlook.com> <CABkgnnVF4Dt+uOciVSYggvkcauhkhOfn8x_m9cMy3LWET85bag@mail.gmail.com> <6c33eca449c34ca29f205e3c60856e 7b@BL2PR03MB419.namprd03.prod.outlook.com> <EECD972C-A116-4DAC-BF5D-B11BBED41CB5@mnot.net> <534C75D2.3010308@pobox.com> <3276489C-6843-4C01-9E0F-0FD98EB5C1A9@mnot.net>
In-Reply-To: <3276489C-6843-4C01-9E0F-0FD98EB5C1A9@mnot.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 8F929C4A-C439-11E3-BA8F-873F0E5B5709-38729857!a-pb-sasl-quonix.pobox.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/wfE1vcIGIaEq_8lwiLLG2F0dru4
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] Questions about ALPN
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 01:02:16 -0000
Mark Nottingham wrote: > On 15 Apr 2014, at 9:57 am, Michael D'Errico <mike-list@pobox.com> wrote: > >> Additionally, adding a new low-level transport would break things: >> As an example, suppose you already have defined "http/2 over TCP" and >> "http/2 over TLS (over TCP)" and all servers recognize these code >> points. Now whoever wants to create "http/2 over HNTP" (hypothetical >> new transport protocol) will need to have all http server software >> everywhere learn the new code point whether it is aware of HNTP or not, >> before http/2 could be used reliably over HNTP. > > Why? Suppose that "http/2 over TCP" and "http/2 over TLS" are assigned the code points 23 and 38 respectively (I'm just making up numbers). A TLS stack can be programmed to recognize both of these numbers in ALPN as "http/2" for its purposes. But then some time later, someone registers "http/2 over HNTP" at code point 139. The same TLS stack can not possibly know that protocol 139 in ALPN means http/2 without an upgrade, leading to a failure. Also you'd then have to define "smtp over HNTP", "ftp over HNTP", etc. for all applications that could be delivered over HNTP. Much better to just register one new transport code point for HNTP and you're done. >> So instead of making this mistake, I'd like to see a single code point >> for application protocol (e.g. http/2) which would be used by TLS in >> ALPN and then you can combine that with another code point representing >> the transport if you need this level of distinction ("TCP", "SCTP", >> "UDP", "TLS over TCP", "DTLS over UDP", etc.). > > That would lead people to believe that they can use HTTP over DTLS (for > example), which isn't defined and isn't interoperable. Someone would have > to go and write the document "how to use HTTP/2 over DTLS", and then we'd > need a way to indicate to the peer that this is supported. I'm not saying that every combination needs to make sense. Keeping the code point spaces for transport and application separate will require many fewer registrations and allow for more robust software. Mike
- [TLS] Questions about ALPN Paul Kyzivat
- Re: [TLS] Questions about ALPN Adam Langley
- Re: [TLS] Questions about ALPN Martin Thomson
- Re: [TLS] Questions about ALPN Adam Langley
- Re: [TLS] Questions about ALPN Paul Kyzivat
- Re: [TLS] Questions about ALPN Andrei Popov
- Re: [TLS] Questions about ALPN Martin Thomson
- Re: [TLS] Questions about ALPN Andrei Popov
- Re: [TLS] Questions about ALPN Martin Thomson
- Re: [TLS] Questions about ALPN Paul Kyzivat
- Re: [TLS] Questions about ALPN Andrei Popov
- Re: [TLS] Questions about ALPN Paul Kyzivat
- Re: [TLS] Questions about ALPN Andrei Popov
- Re: [TLS] Questions about ALPN Daniel Kahn Gillmor
- Re: [TLS] Questions about ALPN Martin Thomson
- Re: [TLS] Questions about ALPN Andrei Popov
- Re: [TLS] Questions about ALPN Martin Thomson
- Re: [TLS] Questions about ALPN Andrei Popov
- Re: [TLS] Questions about ALPN Mohamad Badra
- Re: [TLS] Questions about ALPN Mark Nottingham
- Re: [TLS] Questions about ALPN Michael D'Errico
- Re: [TLS] Questions about ALPN Mark Nottingham
- Re: [TLS] Questions about ALPN Michael D'Errico
- Re: [TLS] Questions about ALPN Martin Thomson
- Re: [TLS] Questions about ALPN Michael D'Errico
- Re: [TLS] Questions about ALPN Martin Thomson
- Re: [TLS] Questions about ALPN Michael D'Errico
- Re: [TLS] Questions about ALPN Martin Thomson
- Re: [TLS] Questions about ALPN Michael D'Errico
- Re: [TLS] Questions about ALPN Mark Nottingham