Re: [TLS] [Uta] Recommending ALPN (was Re: [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11 ...)

Valery Smyslov <smyslov.ietf@gmail.com> Fri, 30 April 2021 06:25 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B473F3A160A; Thu, 29 Apr 2021 23:25:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k-7_hOjGcK7J; Thu, 29 Apr 2021 23:25:39 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F29523A1609; Thu, 29 Apr 2021 23:25:38 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id z13so27491848lft.1; Thu, 29 Apr 2021 23:25:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=PwjdQknJt0zIn7LEF51h1CqotygGOWXgMsVnO4SK7S4=; b=Sx1ZmpboIfyCvh67i458Nu7FAcN9JBheqKmCdmBq1VWKIHsuEZ7WsVs8ofuD8t9zlQ FPZAV0asOrbY9JbVIyhc8gNzKIiFLV+GhtQSfF4szCUN1ut+xRwe+LKBQ9cvD7AzoiQb J5Ah8v+DnfMKbeM0p7ESe9enULhbJ5WQmhTRgtqUf3wVox6l23EzJw0x4DeHoJ4awXvF qlkaM7+bH/XBJ0wHJq9Qbmm/vxShG3dTcN1K7BICKbbpx6yGBuQOHcqC8DhvNsjnkvGz PosvGblnAHt5PjD/83+pblsxXJgImtlD+11SLHUeSdKvVN/P18G3ozw3p+uDmmoaE9fK q6yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=PwjdQknJt0zIn7LEF51h1CqotygGOWXgMsVnO4SK7S4=; b=aEVw3gFSnA3XSv4uPj2Uu+7EhpOLr1u4qZdLHgBAFZpu3EvO7YkycO7YOBug8ETXXC 9OnuTky7lMdasa4eJFkb7PZ20GG9cteWxc//Sq3Cdp87luAKdMRq/W2c196lLn6Ipeya pSyTCgN0kU3ONrTP0QbOsxb3KVQ8ulnkis+THeipdc0+NwEleZNkuLqueGcMzUWSpZe0 hU6pV+ZhjUsdhWxkRXRsHFiV0cZHzGrKcC7AdLeflekLN6uGt/c+Li22RwDIiF8+UDlZ QWY4sBDrcfZ5OQW2S6KOXmkaWuL7KRl11PWeSDZE/xGapkkeKGalraDiL/kVyaw6HgnT Mykw==
X-Gm-Message-State: AOAM532SeMmYqMCI6s1DUlMKwNcUGsDz7sSVV/RYGP+NA6c1L++DNvd4 Jp36vcXPxEHeMAIih3qdc84=
X-Google-Smtp-Source: ABdhPJyt/L5yPcQ4HUZpYyEI9M0iLklzFp8fQAaMkHtpY2ZjD5M63ZaqkQqdFMU57pURUETUW6TbRA==
X-Received: by 2002:a19:386:: with SMTP id 128mr2253374lfd.533.1619763936598; Thu, 29 Apr 2021 23:25:36 -0700 (PDT)
Received: from buildpc ([93.188.44.203]) by smtp.gmail.com with ESMTPSA id o22sm124808ljp.54.2021.04.29.23.25.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Apr 2021 23:25:36 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Martin Thomson'" <mt@lowentropy.net>, "'Salz, Rich'" <rsalz@akamai.com>
Cc: <uta@ietf.org>, <tls@ietf.org>
References: <161921129877.20343.10624609154750488813@ietfa.amsl.com> <034F6C49-0195-4FAF-9EF2-1E39E809F902@sinodun.com> <7d8fa1d2-ef1a-4ed3-b660-955248a4ec63@www.fastmail.com> <753E5DAA-37C6-4F82-829D-29DA5458C1DB@akamai.com> <fe80ee08-eebc-45cf-8d83-51f2da83cb96@www.fastmail.com>
In-Reply-To: <fe80ee08-eebc-45cf-8d83-51f2da83cb96@www.fastmail.com>
Date: Fri, 30 Apr 2021 09:25:39 +0300
Message-ID: <0f9101d73d89$a3f252e0$ebd6f8a0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQK5T0c7zTgC0AF960Ew+VmWvkl8agGYBwADAX6tzK8BFQeP/gH6KLvTqNdAeiA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zkinVP_QUUdZNpdS90Gf6huy-ow>
Subject: Re: [TLS] [Uta] Recommending ALPN (was Re: [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11 ...)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2021 06:25:44 -0000

Hi Martin,

> > >    No new protocol should use TLS without ALPN.  It only opens space for cross-protocol attacks.  Did the
> working group consider this possibility in their discussions?
> >
> > I don't believe that message has been made as public as it should be.
> 
> I see that UTA is working on a revision of RFC 7525.  Is text on this something that would be in scope.  I only
> just searched for "ALPN", finding nothing, so maybe it is not in the original scope and maybe there are things
> that might prevent expansion of scope.

The original motivation for 7525bis was to update RFC 7525 in light of TLS 1.3 appearance.
However, I believe that recommendations for using ALPN are in scope of this document.

Regards,
Valery.

> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta