Re: [TLS] TLS 1.3 Application Identifier ?

Juho Vähä-Herttua <juhovh@iki.fi> Wed, 16 July 2014 19:49 UTC

Return-Path: <juhovh@iki.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 444651A01FF for <tls@ietfa.amsl.com>; Wed, 16 Jul 2014 12:49:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.521
X-Spam-Level:
X-Spam-Status: No, score=-1.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMnoiAjZY6dU for <tls@ietfa.amsl.com>; Wed, 16 Jul 2014 12:49:52 -0700 (PDT)
Received: from gw01.mail.saunalahti.fi (gw01.mail.saunalahti.fi [195.197.172.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80DBB1A001C for <tls@ietf.org>; Wed, 16 Jul 2014 12:49:51 -0700 (PDT)
Received: from [10.178.91.249] (85-76-104-11-nat.elisa-mobile.fi [85.76.104.11]) by gw01.mail.saunalahti.fi (Postfix) with ESMTP id 844EE40016; Wed, 16 Jul 2014 22:49:43 +0300 (EEST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: =?utf-8?Q?Juho_V=C3=A4h=C3=A4-Herttua?= <juhovh@iki.fi>
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <CAEQGKXQ3bxQKLVLoYxiEkyJ7cG+8RYSyuxHKoNDi=UYkV-rrGA@mail.gmail.com>
Date: Wed, 16 Jul 2014 22:49:41 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <4F8BD5B9-0D93-41EC-AC87-2F8519CC0980@iki.fi>
References: <CAEQGKXRhAh2BvwY0xCCf-BN6kh37_athgYQ+Ha7LJE0DYvSCVg@mail.gmail.com> <ce96173c-e886-4c90-a567-8fd445ed7169@email.android.com> <CAEQGKXTby0hwY+Ttxki1CJ7aimkGOgEuxcGcMw2z_HQt3H0-LQ@mail.gmail.com> <CABkgnnW2MBpBd5inPTj0V0aH69g7JOGuRtAA9o+-hYniEgYGSA@mail.gmail.com> <CAEQGKXQ3bxQKLVLoYxiEkyJ7cG+8RYSyuxHKoNDi=UYkV-rrGA@mail.gmail.com>
To: Pascal Urien <pascal.urien@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/z0a_Xb0HHpVsrotGMp4rkzy7YzY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 Application Identifier ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jul 2014 19:49:54 -0000

On 16.7.2014, at 22.21, Pascal Urien <pascal.urien@gmail.com> wrote:
> 
> For me TLS is a transport layer
> 
> UDP or TCP are transport layers. They identify the transported apps pdu by a port number

I'm a bit lost here, as far as I know TLS always works on top of UDP or TCP, and therefore the port numbers identifying transported apps apply there as well.

> Without a mandatory application identifier the TLS 1.3 will not give by default any information on the transported application

It does give information with either the port number, and if e.g. 443 is always used for firewall compatibility, then ALPN works.

> I believe that a client certificate should be bound to an application.

Can you give some specific reasoning for this? I don't see anything forbidding certificate selection based on ALPN either. Or you can run TLS in different TCP ports for different applications.

> If no application identifier is available the client could set it to null.

Or it could simply not send the ALPN extension.


Juho