Yoav, I think that’s right, i.e., update the patch branch and PR.
spt > On Jan 25, 2021, at 16:04, Yoav Nir <ynir.i...@gmail.com> wrote: > > OK. I think we have as much consensus as we’re likely to get. > > I’ve updated the patch branch and PR to reflect this. > > Yoav > >> On 22 Jan 2021, at 7:45, Martin Thomson <m...@lowentropy.net> wrote: >> >> On Fri, Jan 22, 2021, at 16:16, Yoav Nir wrote: >>> See this PR: https://github.com/tlswg/tls-flags/pull/5 >> >> It looks like there is lots of disagreement there. I'm going to disagree >> with others too. >> >>> All except the first are Server-side. >> >> Certificate is client-side too. >> >>> The controversy is about unsolicited flags. An unsolicited flag is a >>> flag that is set in a Flags extension in a server-side message without >>> having been first declared in the ClientHello extension. >> >> So I think that you need to separate requests from responses. Because >> Certificate contains response to ClientHello or CertificateRequest, my view >> is that CertificateRequest can contain any flag (provided that the >> definition of that flag permits it or you don't know whether it does) and >> Certificate can only contain flags that CertificateRequest did. >> >> This is part of what Ekr seems to have objected to, and I agree with him >> there. A server should be able to use any flag in NewSessionTicket or >> CertificateRequest because those are the messages that initiate an exchange >> (NST doesn't generate any response, so it's an exchange with one flight, but >> that's immaterial). >> >> To review: >> ClientHello is answered by HelloRetryRequest, ServerHello, >> EncryptedExtensions, and (server) Certificate. >> CertificateRequest is answered by (client) Certificate. >> NewSessionTicket is not answered (which is totally fine). >> >> Those three first messages above can include new flags. They can contain >> the extension or not at the discretion of the entity that sends the message. >> Those messages that are in response can only contain the extension if the >> initiating message contained the extension. Furthermore, the extension can >> only contain a specific flag if the initiating message contained that flag. >> >> In other words, each flag is treated just like an empty extension: you can >> initiate an exchange with it, but you can only answer with it if it was >> initiated with it. >> >> This differs a little from Chris who suggests that only NewSessionTicket can >> include a flag that was previously not indicated. >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
