> On May 21, 2019, at 06:20, Matt Caswell <[email protected]> wrote:
>
>
> On 20/05/2019 20:01, Kurt Roeckx wrote:
>> On Mon, May 20, 2019 at 10:21:45AM -0700, Paul Yang wrote:
>>>
>>> The Chinese modified TLS protocol is not intended to interoperate with any
>>> other TLS protocols. The cipher suites defined in this protocol should not
>>> be used with the standard IETF TLS. So I guess what Matt said would be
>>> feasible to do. But in reality, users may want to have a combination of
>>> both IETF TLS and Chinese TLS together when he launches a TLS server or
>>> client, to have the auto-selection functionality if a TLS client comes in.
>>> So the way of implementation would be tricky...
>>
>> So I think there are 3 options:
>> - You use TLS, not some Chinese variant, and add things like Chinese
>> ciphers to it.
>
> That would be fine but my understanding is that the Chinese government mandate
> this particular Chinese variant in some situations - so we'd also have to
> change
> government policy which doesn't seem very likely ;-)
You are right. There is currently no official Chinese national standards that
define cipher suites for IETF TLS yet.
>
>> - Use something that's not TLS at all, a Chinese variant, and
>> don't support both protocols on the same port.
>
> If we decide to add support for the Chinese variant, then this would be my
> preferred way of doing it.
>
>> - Support both on the same port. This will require coordination
>> with IANA and/or IETF.
>
> I'd be opposed to this last option without IANA/IETF being on board. By doing
> so
> we are effectively no longer compliant with IETF TLS since we're using certain
> codepoints and version numbers to mean things that IETF/IANA have no
> visibility
> of, i.e. we would be doing exactly what Rich was worried about. I don't see
> IANA/IETF doing this anytime soon.
>
> Matt
>
