[cabfpub] New TLS Feature (OCSP MUST Staple) draft

Phillip Hallam-Baker philliph at comodo.com
Wed Jun 11 14:14:58 MST 2014


Agh... I will point out to Russ that the assignment is spoiled and move on to 24

The point of doing the feature scheme this way is to avoid the need for an additional registry. The feature codes are defined in the 
TLS specification. I will add some language to clarify.


-----Original Message----- 
From: Kurt Roeckx
Sent: Wednesday, June 11, 2014 5:07 PM
To: Phillip Hallam-Baker
Cc: CABFPub
Subject: Re: [cabfpub] New TLS Feature (OCSP MUST Staple) draft

On Wed, Jun 11, 2014 at 02:24:50PM -0400, Phillip Hallam-Baker wrote:
> All,
>
> I have just posted:
>
> http://www.ietf.org/id/draft-hallambaker-tlsfeature-04.txt
>
> The main change from the previous draft is that we now have a proposed OID assignment and an IANA section. Previously we did not 
> need an IANA section because it wasn't an IANA registry yet.
>
> There is a proposed code point. THAT COULD CHANGE.
>
> But what probably can't happen is that the code point being assigned to anything else.

So I understand that it's 1.3.6.1.5.5.7.1.23, which is also
mentioned in the April 1 RFC 7169.  Wouldn't it be better
to use something other than 23?  But I have no problem with
using 23 since nobody should be using it.

The draft also says:
   tls-feature OBJECT IDENTIFIER ::=  { id-pe  1 }

That "1" should probably be changed to match the 23, id-pe 1 being
the AIA.

Then it has:
   Features ::= SEQUENCE OF INTEGER

But it does not define what those integers mean.  I'm guessing at
least status_request amd status_request_v2 should be assigned
a number.

It also says at a few places:
   The purpose of the TLS Feature extension is to prevent downgrade
   attacks that are not otherwise prevented by the TLS protocol.

This confuses me, it does not mention any type of downgrade attack
it's preventing and even says it doesn't prevent a cipher suite
downgrade attack.  I'm guessing it's about not using TLS
extentions, and then wonder if it could also be used to prevent
TLS protocol version downgrade attacks.

Are their plans to add other numbers later, and should that
be handled by IANA?


Kurt



More information about the Public mailing list