On Thu, Jan 07, 2021 at 02:50:43PM +1100, Martin Thomson wrote: > Trimming this down. > > On Wed, Jan 6, 2021, at 14:53, Benjamin Kaduk wrote: > > I didn't expect to find much appetite for changes, but I wouldn't be doing > > my job if I didn't ask the question. It's a little unusual for something > > outside the core protocol to change the behavior of an extension defined in > > the core protocol, but perhaps not unheard of. There is also the question > > of whether it would merit an "Updates:" relationship ... since you have to > > implement the rest of the new thing to get the new semantics, it may not be > > needed. > > This isn't an "Updates: X" moment at all in my view. Extensions to TLS have > added new handshake messages (certificate status for instance) without > updating what it means to implement the core protocol. It's only an update > in my view if the functions defined in the updated document.
(incomplete?) > > Which behavior is that, exactly? The QUIC 0-RTT keys are different than > > the TLS ones, and the data itself is carried in a different place... > > I referred to all of the code that involves 0-RTT. At what layer? I honestly do not understand which parts you see as "the same behavior". The application will have some data to send early, sure, but at some point your interface has to know if it's running over TCP+TLS or over QUIC, and the only differences I see are below that point. Any given TLS handshake is intrinsically destined for QUIC or not-QUIC, so you're never in a situation where you would send both extensions at the same time. > > I think the key question for the TLS WG might be how similar something has > > to be before it's a good idea to reuse an extension codepoint vs. getting a > > new one. > > If you like. > > > For what little it's worth, the patches to enable building a QUIC stack on > > top of OpenSSL (that have been rejected by upstream at this point > > (incomplete?) Yes, sorry -- interrupted mid-compose. For what little it's worth, the patches to enable building a QUIC stack on top of OpenSSL (that have been rejected by upstream at this point in the 3.0.0 release cycle and are now maintained by Akamai and used by several parties) don't implement support for early data at all, so I don't have any direct implementation insight to provide. OTOH, that suggests that people might not be using QUIC 0-RTT with the openssl TLS stack at all. -Ben
