On 20/05/2019 20:01, Kurt Roeckx wrote:
> On Mon, May 20, 2019 at 10:21:45AM -0700, Paul Yang wrote:
>>
>> The Chinese modified TLS protocol is not intended to interoperate with any
>> other TLS protocols. The cipher suites defined in this protocol should not
>> be used with the standard IETF TLS. So I guess what Matt said would be
>> feasible to do. But in reality, users may want to have a combination of both
>> IETF TLS and Chinese TLS together when he launches a TLS server or client,
>> to have the auto-selection functionality if a TLS client comes in. So the
>> way of implementation would be tricky...
>
> So I think there are 3 options:
> - You use TLS, not some Chinese variant, and add things like Chinese
> ciphers to it.
That would be fine but my understanding is that the Chinese government mandate
this particular Chinese variant in some situations - so we'd also have to change
government policy which doesn't seem very likely ;-)
> - Use something that's not TLS at all, a Chinese variant, and
> don't support both protocols on the same port.
If we decide to add support for the Chinese variant, then this would be my
preferred way of doing it.
> - Support both on the same port. This will require coordination
> with IANA and/or IETF.
I'd be opposed to this last option without IANA/IETF being on board. By doing so
we are effectively no longer compliant with IETF TLS since we're using certain
codepoints and version numbers to mean things that IETF/IANA have no visibility
of, i.e. we would be doing exactly what Rich was worried about. I don't see
IANA/IETF doing this anytime soon.
Matt
