41 lines
1.6 KiB
Markdown
41 lines
1.6 KiB
Markdown
# Dosh Protocol Versioning
|
|
|
|
Dosh v1 uses a deliberately simple compatibility policy: **single-version,
|
|
fail-closed, explicit error**.
|
|
|
|
The wire header carries `protocol::VERSION`. The native handshake carries
|
|
`native::NATIVE_PROTOCOL_VERSION`. A peer that speaks any other version is rejected
|
|
before application data is accepted:
|
|
|
|
- foreign wire `VERSION` packets get an `AttachReject` with
|
|
`protocol version mismatch - upgrade dosh`;
|
|
- foreign native handshake `protocol_version` values get the same named upgrade
|
|
error with local/remote versions;
|
|
- there is no silent downgrade, compatibility fallback, or best-effort decoding.
|
|
|
|
## When To Bump
|
|
|
|
Bump `protocol::VERSION` when a change affects packet framing, packet kind meaning,
|
|
serialized protocol structs carried outside native handshake negotiation, or anything
|
|
an older peer could misparse.
|
|
|
|
Bump `native::NATIVE_PROTOCOL_VERSION` when a change affects native handshake
|
|
transcripts, native auth semantics, algorithm negotiation, attach tickets, or any
|
|
field that is signed or key-derived by native auth.
|
|
|
|
If both layers are affected, bump both.
|
|
|
|
## Compatibility Window
|
|
|
|
Native v1 supports exactly the current version. That keeps the implementation small
|
|
and makes security review tractable. Multi-version negotiation can be added later
|
|
only with an explicit downgrade-resistance design:
|
|
|
|
- negotiated version must be transcript-bound;
|
|
- the selected version must be visible in diagnostics;
|
|
- tests must prove an active attacker cannot force an older mutually supported
|
|
version;
|
|
- unsupported peers must still get the same named upgrade error.
|
|
|
|
Until that exists, the public policy is: upgrade both sides together.
|