[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [Nbd] [PATCHv3] Improve documentation for TLS

From: Alex Bligh
Subject: Re: [Qemu-devel] [Nbd] [PATCHv3] Improve documentation for TLS
Date: Sat, 9 Apr 2016 12:55:28 +0100


On 9 Apr 2016, at 12:38, Wouter Verhelst <address@hidden> wrote:

> On Sat, Apr 09, 2016 at 12:21:03PM +0100, Alex Bligh wrote:
>> An alternative route would be to delete OPTIONALTLS, and make some of
>> the MUST requirements in SELECTIVETLS say "MUST xyz unless there are
>> no TLS-only exports". However, this makes it rather harder to read,
>> so I described that case as a separate mode.
> I understand now.
> However, although I disagree with Daniel on the idea of having a server
> which can (in the same process) support both TLS-enabled and
> non-TLS-enabled exports, I do agree with him that what you call
> OPTIONALTLS is a bad idea, and that it should be discouraged.
> Mentioning that option explicitly is counter to that goal, and I would
> therefore prefer that you not add it.
> Also, while we try to negotiate the protocol in such a way that things
> remain compatible between implementations who implement a disjoint set
> of features from the protocol, I think the long-term goal should be that
> STARTTLS and INFO are supported by all implementations (or at least,
> that INFO is). In that context, explicitly explaining (in much detail)
> what happens when a client doesn't support INFO but does support
> STARTTLS seems contraproductive.
> So I'd just drop optional.

OK. I will kill it in v6.

In practice it means 'if you want to export some things with
TLS and some without then you need to implement INFO'.
This would be a *good* thing if INFO is brought into the main
standard (i.e. taken beyond experimental). Eric's just sent
patches for Qemu to qemu-devel. I need to check the implementation
on my server is still compliant, but it's basically done. So
I may argue for INFO to be put into the body of the standard.

>>>> I'd be all for that. Or certainly "SHOULD NOT support LS versions older
>>>> than 1.2 by default"
>>> Or that. The point is that doing TLS < 1.2 is stupid, especially for a
>>> new protocol, so I think we should make it explicit that clients should
>>> not try that save in exceptional circumstances.
>> +1. Do you want to ping me when you have had a chance to review v5 and
>> I will collate all of these in to a v6?
> I have, but did not have any further comments.

Great. v6 coming up.

Alex Bligh

reply via email to

[Prev in Thread] Current Thread [Next in Thread]