Acknowledge tlsflag or not?

[csosto-pk]

According to the tlsflags draft, each flag is about some capability or some extension that is not part of the TLS base specification. Just because the client and server both support TLS 1.3 does not mean that they both support this extension or that they both have this capability. If the client does not specify the flag, then the server cannot know that the client supports the extension. Conversely, if the server doesn’t acknowledge it, then the client cannot know that the server supports the extension. The same is true for a flag proposed by the server in the certReq and acknowledged in the certificate message. So every flag needs to be acknowledged.

A server that supports this extension and also supports at least one of the flag-type features that use this extension and that were declared by the ClientHello extension SHALL send this extension with the intersection of the flags it supports with the flags declared by the client. The intersection operation may be implemented as a bitwise AND.

[...] Flag-type extensions that have been indicated in CR (and only such extensions) MAY be also be present in a flags extension of the Certificate (CT) message sent by the client. However, a client MUST NOT indicate support for any flag-type feature in a Certificate message that was not previously indicated by the server in its CertificateRequest message.

[csosto-pk]

Ilari’s https://mailarchive.ietf.org/arch/msg/tls/EKJ38ve6kN-5BWGFDKoVs_T_Vi0/ and Martin’s https://mailarchive.ietf.org/arch/msg/tls/DKgRTXxXuC2-0r52d0h96O2ZuRY/ comments regarding tlsflags acknowledgements say that acknowledgements should not be required.

Basically the argument is that the tlsflags behavior should be similar to extensions, which do not have an acknowledgment requirement by default in TLS. Special acknowledgement requirements are defined normatively per extension. Generally the reason is that flags are like extensions and extensions advertise capabilities like compressing a cert and require no acknowledgement. In other words, if an acknowledgement is required for a specific flag it could be specified for that flag, but the general case does not need to require acknowledgement as it most usually will be a request for something which the peer will or will not do.

The WG would need to reach consensus on acknowledging tlsflags by default or not.

[csosto-pk]

From Ilari

Regarding actual need for acknowledgement for this flag, I think that server acknowledging it could be useful so client knows if retrying without flag could be useful or not.

For the client acknowledging it, I find that much less useful. If server proposes the extension, it better have exhaustive issuer list, be using certificates as just holders for raw public keys, or using certificate fingerprints for identification. Anything else looks like it is asking for trouble.

[csosto-pk]

Yoav crated issue and PR for this in the tlsflags draft after discussing in the list . Language was changed to not require tlsflag acknowledgement.

We ought to update the draft to not require an acknowledgement.

[csosto-pk]

Addressed in https://github.com/csosto-pk/tls-suppress-intermediates/commit/52db8d8d85c1b79c780100028d15f0aa88df6e82