Inline...
> On 7 Apr 2020, at 1:39, Martin Thomson <m...@lowentropy.net> wrote:
>
> I like this work, but I don't believe this to be ready yet.
>
> S1
> None of the current proposed extensions are such that the server
> indicates support without the client first indicating support. So as
> not to preclude future extensions that are so defined, this
> specification allows the client to send an empty extension,
> indicating support for TLS flags in general (and presumably some
> unspecified features in particular).
>
> First, for clarification, the distinction between empty and all-zero-valued
> is perhaps worth drawing on.
I think the description of the extension in section 2 is clear. An extension
without any flags set is empty, It’s not all zero-valued. A FlagsExtensions
field with a length of 1 and the one byte being zero is an invalid encoding of
the extension as its length is the minimal length possible. So only an empty
extension is meaningful.
> Second, more seriously, if this is the goal, the text needs to acknowledge
> that the possibility exists on a *per-flag* basis.
Can you suggest text?
>
> Third, more substantially, and invalidating the above, I don't think that we
> should make flags introduce a new style of negotiation just because it can.
> I would strongly prefer that this function as close as possible to "empty
> ClientHello extension; empty EncryptedExtensions extension". Aside from
> that, the utility of an advertisement from the server that a client cannot
> respond to is pretty marginal.
If this is what the group prefers, I’m fine with it, but then there’s never any
point in sending an empty extension, either from the client of form the server.
The absence of an individual flag is always implied from the absence of the
extension.
> Fourth, this conflicts with the following text in S2:
>
> A server that supports this extension and also supports at least one
> of the flag-type features that use this extension and that were
> declared by the ClientHello extension SHALL send this extension with
> the intersection of the flags it supports with the flags declared by
> the client.
Agree. So either we abolish “silent client - server declares” extensions (let’s
call them unsolicited), or we rephrase the above something along the lines of:
A server that supports the extension and also supports at least one flag
that was either present in the ClientHello extension or is allowed to be sent
unsolicited, SHALL send this extension with all of the flags it is configured
to support except those that are not allowed to be sent unsolicited and that
were not present in the ClientHello extension
> Nit here: this isn't about support alone, it is the flags that the server
> *chooses* to support.
“configured to support” ?
> S2
> The server may need to send two tls_flags extensions,
> one in the ServerHello and the other in the EncryptedExtensions
> message.
>
> Are we confident that sending the same extension in both places is safe? I
> know that clients have to implement this and so should be able to test that
> this works, but it seems awkward. And it might not be necessary. It's also
> not sufficient, as we currently allow responses to ClientHello extensions to
> appear in Certificate (and for CertificateRequest to carry "requests" in the
> other direction).
I don’t think the two extensions ever carry the same flags. Each server side
flag should be one of three: serverHello, encrpytedExtensions, or neither (if
we are not expecting a response)
I think this requires another field in the IANA registry.
As for Certificate, I don’t see why we’d need to add bit responses to
Certificate. They can safely be sent in either serverHello or
encryptedExtensions.
> Perhaps we might avoid this problem entirely. ServerHello extensions are
> limited to key exchange. If we say that flags are limited (today) to
> functional properties that don't affect key exchange, my thought is that we
> don't lose much (if anything) by only allowing this extension in
> EncryptedExtensions.
I’m trying to come up with key exchange bits that might be useful. Perhaps a
new, improved alternative to HKDF? Support for Quantum Key Exchange?
> I don't know what I think about Certificate extensions. This seems to have a
> clear use there.
>
> Editorial:
>
> S1
> It might be better to draw examples from the canon of published RFCs than to
> refer to things that might not get published.
I support I cna mention RI earlier.
>
> On Tue, Apr 7, 2020, at 00:53, Christopher Wood wrote:
>> This is the working group last call for the "A Flags Extension for TLS
>> 1.3" draft, available at:
>>
>> https://datatracker.ietf.org/doc/draft-ietf-tls-tlsflags/
>>
>> Please review the document and send your comments to the list by April
>> 20, 2020. The GitHub repository for this draft is available at:
>>
>> https://github.com/tlswg/tls-flags
>>
>> Thanks,
>> Chris, on behalf of the chairs
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
