[TLS] Test server available for Opaque PRF Input extension

[Simon Josefsson <simon at josefsson.org>]

All,

There is a test server running that supports the Opaque PRF Input
extension, see:

http://www.gnu.org/software/gnutls/server.html

The test server uses the extension value 42 until a value have been
properly allocated with IANA.  Btw, I think the current allocation
policy in TLS is harmful to deployment of TLS extensions.  It should be
possible to get an early allocation for interop.

For the announcement of GnuTLS v2.1.0 (an experimental branch) with this
support, see:

http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2328

If someone wants to do interop tests, please try it directly against the
server or contact me for assistance.

I have one final comment on the document, it says:

        struct {
            opaque opaque_prf_input_value<0..2^16-1>;
        } OpaquePRFInput;

However it is not clear what a length of zero means.  It would not
contribute to the PRF computation.  Thus negotiation of the extension
with empty strings may give a false sense of security.  I don't think
the extension should be negotiated at all if the length is zero, and
that is enforced by our implementation.  One modification to the
document could be:

        struct {
            opaque opaque_prf_input_value<1..2^16>;
        } OpaquePRFInput;

But the problem could also be handled by adding some text.

Generally, having some discussion on recommended lengths of the opaque
prf input data in the document would be useful.

Thanks,
Simon

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls