Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ben Kaduk's TLS Comment 3 #4479

Closed
LPardue opened this issue Jan 6, 2021 · 3 comments · Fixed by #4553
Closed

Ben Kaduk's TLS Comment 3 #4479

LPardue opened this issue Jan 6, 2021 · 3 comments · Fixed by #4553
Labels
-tls editorial An issue that does not affect the design of the protocol; does not require consensus. iesg An issue raised during IESG review.
Milestone
tls-iesg

Comments

@LPardue
Copy link
Member

LPardue commented Jan 6, 2021

@kaduk said:

Section 3

Figure 3 shows "TLS Alerts" as being carried over QUIC Transport, but
per §4.8 TLS alerts are translated into QUIC connection errors and are
not sent natively.

  • The TLS component provides a series of updates to the QUIC
    component, including (a) new packet protection keys to install (b)
    state changes such as handshake completion, the server
    certificate, etc.

I think that if we're going to talk about passing the server certificate
between TLS and QUIC components, we should be very clear about where/how
certificate validation occurs. For example, it would be pretty
disasterous if TLS passed the certificate to QUIC expecting that QUIC
would do any validation of the peer identity, but QUIC assumed that TLS
would only provide a validated certificate. Perhaps in §4.1 when we
mention the potential for "additional functions [...] to configure TLS",
we might mention "including certificate validation", if appropriate?
@LPardue LPardue added -tls iesg An issue raised during IESG review. labels Jan 6, 2021
@LPardue LPardue added this to the tls-iesg milestone Jan 6, 2021
martinthomson added a commit that referenced this issue Jan 6, 2021
@martinthomson
It is important to agree on who authenticates
caf2aa9 
Important enough to call out in this section.

Closes #4479.
@martinthomson martinthomson added the editorial An issue that does not affect the design of the protocol; does not require consensus. label Jan 6, 2021
@martinthomson martinthomson mentioned this issue Jan 6, 2021
Merged
@kaduk
Copy link
Contributor

kaduk commented Jan 9, 2021

Should we split this bit out into a separate issue?

Figure 3 shows "TLS Alerts" as being carried over QUIC Transport, but
per §4.8 TLS alerts are translated into QUIC connection errors and are
not sent natively.

(The prose also says "TLS Handshake and Alert messages are carried
directly over the QUIC transport".)

@martinthomson
Copy link
Member

I don't think we need to do anything in response to that. Those messages are carried by QUIC.

@kaduk
Copy link
Contributor

kaduk commented Jan 11, 2021

I will defer to your preference, but I do not agree that "those messages" are carried by QUIC; QUIC does not carry TLS Alert structures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
-tls editorial An issue that does not affect the design of the protocol; does not require consensus. iesg An issue raised during IESG review.
Projects
None yet
Milestone
tls-iesg
Development

Successfully merging a pull request may close this issue.

It is important to agree on who authenticates quicwg/base-drafts
3 participants
@martinthomson @kaduk @LPardue