Re: New tunnel protocol from Adrien de Croy on 2015-01-25 (ietf-http-wg@w3.org from January to March 2015)

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 26 Jan 2015 10:14:31 +1300
To: Adrien de Croy <adrien@qbik.com>, Martin Thomson <martin.thomson@gmail.com>
Cc: Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <C9C63887-34A1-42F1-B81D-F5E88267AD00@qbik.com>

One more thought on this. A proxy wanting to do cert verification on TLS needs to know if the next layer is TLS. 

Requiring a proxy to recognise all ALPN ids to know this I think is a bad design decision. 


> On 26/01/2015, at 8:14 am, Adrien de Croy <adrien@qbik.com> wrote:
> 
> ok, that's what I was getting at in my initial query
> 
> it may help then to make that clear in the dfraft that the ALPN id is the thing specifying whether TLS is the next layer or not
> 
> So for those concerned with privacy, the client could simply advertise TLS
> 
> You will need to make sure all the variants are registered as ALPN ids though as well,  such as
> 
> pop3 and pop3s, smtp and smtps, imap etc etc
> 
> these will all have different meanings in a TLS APLN option vs the Tunnel-Protocol field (as they will have 1 layer of TLS difference).  In some protocols, such as ftp, there's already a lot of confusion (e.g. difference between ftps and sftp), I see this requirement adding to that.
> 
> You'd need to make sure that for every protocol you could see in a TLS APLN option, there was a corresponding -s version defined for T-P.
> 
> Might just it not be easier to be able to separately specify the TLS layer, and allow then the T-P header to exactly match the ALPN in the TLS handshake?  Some proxies definitely will want to check if the client lied about it.
> 
> Adrien
> 
> ------ Original Message ------
> From: "Martin Thomson" <martin.thomson@gmail.com>
> To: "Adrien de Croy" <adrien@qbik.com>
> Cc: "Amos Jeffries" <squid3@treenet.co.nz>; "HTTP Working Group" <ietf-http-wg@w3.org>
> Sent: 25/01/2015 6:20:46 p.m.
> Subject: Re: New tunnel protocol
> 
>>> On 24 January 2015 at 19:33, Adrien de Croy <adrien@qbik.com> wrote:
>>> The problem for me as a proxy implementor, is I still don't know whether to
>>> expect there to be a TLS layer in there or not. Please don't make me resort
>>> to sniffing or daft heuristics to figure this out. Just make it explicit.
>>> If there is an and/or option, include a way to clearly state this in the
>>> protocol.
>> 
>> The ALPN identifier tells you if there is TLS.
> 
>

Received on Sunday, 25 January 2015 21:15:12 UTC