Re: New tunnel protocol

ok, that's what I was getting at in my initial query

it may help then to make that clear in the dfraft that the ALPN id is 
the thing specifying whether TLS is the next layer or not

So for those concerned with privacy, the client could simply advertise 
TLS

You will need to make sure all the variants are registered as ALPN ids 
though as well,  such as

pop3 and pop3s, smtp and smtps, imap etc etc

these will all have different meanings in a TLS APLN option vs the 
Tunnel-Protocol field (as they will have 1 layer of TLS difference).  In 
some protocols, such as ftp, there's already a lot of confusion (e.g. 
difference between ftps and sftp), I see this requirement adding to 
that.

You'd need to make sure that for every protocol you could see in a TLS 
APLN option, there was a corresponding -s version defined for T-P.

Might just it not be easier to be able to separately specify the TLS 
layer, and allow then the T-P header to exactly match the ALPN in the 
TLS handshake?  Some proxies definitely will want to check if the client 
lied about it.

Adrien

------ Original Message ------
From: "Martin Thomson" <martin.thomson@gmail.com>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Amos Jeffries" <squid3@treenet.co.nz>; "HTTP Working Group" 
<ietf-http-wg@w3.org>
Sent: 25/01/2015 6:20:46 p.m.
Subject: Re: New tunnel protocol

>On 24 January 2015 at 19:33, Adrien de Croy <adrien@qbik.com> wrote:
>>  The problem for me as a proxy implementor, is I still don't know 
>>whether to
>>  expect there to be a TLS layer in there or not. Please don't make me 
>>resort
>>  to sniffing or daft heuristics to figure this out. Just make it 
>>explicit.
>>  If there is an and/or option, include a way to clearly state this in 
>>the
>>  protocol.
>
>The ALPN identifier tells you if there is TLS.

Received on Sunday, 25 January 2015 19:15:13 UTC