Martin, I think that the wording I would prefer would be along the lines of
A server MUST NOT error on the value of the extension when a higher TLS version is requested. The server MUST use the minimum of the requested value and the maximum value for the TLS version negotiated. A server MAY error if a the value of the extension is exceeded for the version of TLS requested. > -----Original Message----- > From: Martin Thomson [mailto:martin.thom...@gmail.com] > Sent: Monday, February 19, 2018 2:15 AM > To: Jim Schaad <i...@augustcellars.com>; <tls@ietf.org> <tls@ietf.org> > Cc: draft-ietf-tls-record-li...@ietf.org > Subject: Re: Mail regarding draft-ietf-tls-record-limit > > (+tls@) > > This is a good question Jim and one that I thought through during > implementation, but failed to capture in the doc. > > Basically, there is no way to validate the extension if the client includes an > unknown version of TLS or an extension that it doesn't understand. A client > can know because it should understand the protocol as negotiated. > > The text currently says "an endpoint MUST NOT send a value higher than the > protocol-defined maximum record size unless explicitly allowed by such a > future version or extension" I think that we should add "A server MUST NOT > enforce this restriction; a client might advertise a higher limit that is > enabled > by an extension or version the server does not understand." > > Does that make sense? > > > On Mon, Feb 19, 2018 at 5:51 PM, Jim Schaad <i...@augustcellars.com> > wrote: > > I was looking at this document relative to a specific question for > > Kathleen, and I had one thing that I would like you to look at and see > > if you think it is clear enough. > > > > I have a server that is TLS 1.2, a client that is TLS 1.2 & 1.3. It sends > > a hello w/ and extension value of 2^14+1. It is not completely clear > > to me that the server should accept this as a legal value and compute > > the min of it and the maximum 1.2 value as the value to use when > > sending messages to the client rather than producing an error message > > because the value is too large. > > > > Jim > > > > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
