1.6 KiB
Dosh Protocol Versioning
Dosh v1 uses a deliberately simple compatibility policy: single-version, fail-closed, explicit error.
The wire header carries protocol::VERSION. The native handshake carries
native::NATIVE_PROTOCOL_VERSION. A peer that speaks any other version is rejected
before application data is accepted:
- foreign wire
VERSIONpackets get anAttachRejectwithprotocol version mismatch - upgrade dosh; - foreign native handshake
protocol_versionvalues get the same named upgrade error with local/remote versions; - there is no silent downgrade, compatibility fallback, or best-effort decoding.
When To Bump
Bump protocol::VERSION when a change affects packet framing, packet kind meaning,
serialized protocol structs carried outside native handshake negotiation, or anything
an older peer could misparse.
Bump native::NATIVE_PROTOCOL_VERSION when a change affects native handshake
transcripts, native auth semantics, algorithm negotiation, attach tickets, or any
field that is signed or key-derived by native auth.
If both layers are affected, bump both.
Compatibility Window
Native v1 supports exactly the current version. That keeps the implementation small and makes security review tractable. Multi-version negotiation can be added later only with an explicit downgrade-resistance design:
- negotiated version must be transcript-bound;
- the selected version must be visible in diagnostics;
- tests must prove an active attacker cannot force an older mutually supported version;
- unsupported peers must still get the same named upgrade error.
Until that exists, the public policy is: upgrade both sides together.