On Friday 03 June 2016 16:16:13 Dave Garrett wrote: > The idea of using an empty extension as an indicator really isn't > fundamentally different from what I'm suggesting here. We'd just have > an arbitrary set of new version indicators mixed in with extensions > instead of inside a new generalized basket. My replacement was > (again, it's over a year old) designed to be a general purpose > long-term solution that could handle 1.3, 1.4, draft versions, > experiments, etc, without special-casing. I'm not fundamentally > against just adding a TLS 1.3 version indicator extension and > freezing the old version number to 1.2. It just feels a little more > hacky to me, though in the short-term it's simpler.
The reason why we want to add this is because there are programmers that get the normal version negotiation wrong. What makes you think that a new version negotiation that works more or less in the same way will _not_ be implemented incorrectly? Counter example: there are servers which handle TLSv1.2 and do not handle TLSv1.3 (e.g. ebay.com), and there are implementations that do not handle multiple names in SNI extension. Both are supported only by either recent or very recent implementations. And don't forget that what we are proposing here is significantly complicating implementations that most likely _are_ behaving properly and _are_ handling unknown versions/extensions/ciphersuites correctly; just because there are few bad apples. > With respect to the concern of version numbers being moved to a > non-fixed position, we could just require that the new version list > extension be first or last in the extensions list. it's still after the variable-length list of ciphersuites... -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
