On Thu, Apr 29, 2021 at 11:49 AM Allison Mankin <allison.man...@gmail.com> wrote:
> Hi Ekr, > > As Sara wrote, the spec had ALPN. The WG consensus during the IETF 108 > meeting was very strong to take it out, including quite strong statements > from you along the lines that distinguishing between XoT and DOT was an > incorrect usage of ALPN. > I don't have the message you are referring to at hand, so I'm not able to respond to that. However, I don't believe that an ALPN is needed to distinguish XoT from DoT because there is no confusion between the protocol traces of XoT and DoT. However there should be an ALPN to distinguish XoT and DoT from HTTP, SMTP, etc.IOW, this protocol should use ALPN="dot". I understand that the perspective changed since IETF108 (that WG discussion > was at the end of July 2020) and that communications were not wide enough > for us to know about it in March when the WG moved the draft to WGLC, > Directorates Review, and IETF LC > I don't think anyone is saying that the WG somehow did something wrong procedurally, merely that this is a defect that ought to be corrected prior to publication. -Ekr On Thu, Apr 29, 2021 at 14:25 Eric Rescorla <e...@rtfm.com> wrote: > >> Probably not, but I agree with MT. >> >> The general idea here is that any given protocol trace should only be >> interpretable in one way. So, either you need the interior protocol to be >> self-describing or you need to separate the domains with ALPN. I don't >> believe that either the IP ACL or mTLS addresses this issue, and in fact >> arguably mTLS makes the problem worse because it provides authenticated >> protocol traces which might be usable for cross-protocol attacks. >> >> -Ekr >> >> >> On Thu, Apr 29, 2021 at 7:26 AM Salz, Rich <rsalz= >> 40akamai....@dmarc.ietf.org> wrote: >> >>> > No new protocol should use TLS without ALPN. It only opens space >>> for cross-protocol attacks. Did the working group consider this >>> possibility in their discussions? >>> >>> I don't believe that message has been made as public as it should be. >>> >>> _______________________________________________ >>> dns-privacy mailing list >>> dns-priv...@ietf.org >>> https://www.ietf.org/mailman/listinfo/dns-privacy >>> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
