Re: Expectations for TLS session reuse

Patrick McManus <mcmanus@ducksong.com> Thu, 22 December 2016 15:43 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40524129421 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 22 Dec 2016 07:43:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.5
X-Spam-Level:
X-Spam-Status: No, score=-9.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sendgrid.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GbPTvNzOwKH for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 22 Dec 2016 07:43:14 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6876612941A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 22 Dec 2016 07:43:14 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cK5T6-0005VJ-Sw for ietf-http-wg-dist@listhub.w3.org; Thu, 22 Dec 2016 15:39:44 +0000
Resent-Date: Thu, 22 Dec 2016 15:39:44 +0000
Resent-Message-Id: <E1cK5T6-0005VJ-Sw@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1cK5Sw-0005UM-MT for ietf-http-wg@listhub.w3.org; Thu, 22 Dec 2016 15:39:34 +0000
Received: from o1.7nn.fshared.sendgrid.net ([167.89.55.65]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1cK5Sv-000544-GJ for ietf-http-wg@w3.org; Thu, 22 Dec 2016 15:39:34 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=mime-version:in-reply-to:references:from:subject:to:cc:content-type; s=smtpapi; bh=H202+Y+1kiwz7nbcO6cfxHcLAww=; b=l4PxyJG7AdGSPEvW7b q7BX+L7N2SsGg5Vt4pKP0sd3DU0azQMhJIlZEDhJiKCo5b2xiwxfZFzfncinEEMT 5BNQFDZ7BuIgYG/d2o28rlx+ZJW0IwR/lidpGJpjBJY2LX50SlXLowGXM0meHf+i +S6WieATxKXAdgby7yudcc8sA=
Received: by filter0011p1las1.sendgrid.net with SMTP id filter0011p1las1-9712-585BF397-30 2016-12-22 15:39:03.811241957 +0000 UTC
Received: from mail-it0-f50.google.com (mail-it0-f50.google.com [209.85.214.50]) by ismtpd0001p1iad1.sendgrid.net (SG) with ESMTP id PbX-15luQUK_SVouwranAQ for <ietf-http-wg@w3.org>; Thu, 22 Dec 2016 15:39:03.598 +0000 (UTC)
Received: by mail-it0-f50.google.com with SMTP id 75so102374029ite.1 for <ietf-http-wg@w3.org>; Thu, 22 Dec 2016 07:39:03 -0800 (PST)
X-Gm-Message-State: AIkVDXKlQzXtsQ5FIJauQahcBkDQjcNFHywLmpJE1bAG3ER8IhxkYtZNVxrYZBIwauDmvso9r9Z7XX4WYUwsOg==
X-Received: by 10.36.73.90 with SMTP id z87mr11788626ita.109.1482421142937; Thu, 22 Dec 2016 07:39:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.19.16 with HTTP; Thu, 22 Dec 2016 07:39:02 -0800 (PST)
In-Reply-To: <e508d3c7-c81d-91d8-7b6d-3e2b74d15bd9@rd.bbc.co.uk>
References: <7CF7F94CB496BF4FAB1676F375F9666A376AAB1E@bgb01xud1012> <CABkgnnWOrphhWpjuhRC5apydWb2t=qWvMSb1D9uo8Eb_4JHzqQ@mail.gmail.com> <CAOdDvNo2OgdkuDCjeVZBRnB+JPg0eFtPcm_UXQPhrEuiaGKGaw@mail.gmail.com> <7CF7F94CB496BF4FAB1676F375F9666A376B04C7@bgb01xud1012> <BN6PR03MB2708F28F1828C5278E71938087980@BN6PR03MB2708.namprd03.prod.outlook.com> <CABcZeBMssBzM67iLGtKQgS0KgSj6q9tZX7hG0GNfSK=VvatuWw@mail.gmail.com> <BN6PR03MB270885404C2F1E029F54AABE879B0@BN6PR03MB2708.namprd03.prod.outlook.com> <97158afb-d80a-443c-b59a-209ffe3d34d9@rd.bbc.co.uk> <BN6PR03MB2708A286DF303E6524EF9F4D87930@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnXAaX4+6CbWQGFm_0bk82WZNq9d=UBmaq22u2q7yP+pUQ@mail.gmail.com> <e508d3c7-c81d-91d8-7b6d-3e2b74d15bd9@rd.bbc.co.uk>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Thu, 22 Dec 2016 10:39:02 -0500
X-Gmail-Original-Message-ID: <CAOdDvNqPDssNmSscgk3chbPg+Uw53_nqFrv+OzhTHWA=hTvwLg@mail.gmail.com>
Message-ID: <CAOdDvNqPDssNmSscgk3chbPg+Uw53_nqFrv+OzhTHWA=hTvwLg@mail.gmail.com>
To: Richard Bradbury <richard.bradbury@rd.bbc.co.uk>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mike Bishop <Michael.Bishop@microsoft.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Eric Rescorla <ekr@rtfm.com>, Lucas Pardue <Lucas.Pardue@bbc.co.uk>, Patrick McManus <mcmanus@ducksong.com>
Content-Type: multipart/alternative; boundary=001a1144617ea1f13c05444111b4
X-SG-EID: YLWet4rakcOTMHWvPPwWbcsiUJbN1FCn0PHYd/Uujh6PsARB8t656fTuSAUnTu5SJTbaku5zmaVc68 QPVk8IwlWAbeKdKk+gOYoBGEGoIwKCLdGI9ve+MgydXgsEc6OLSo4hqNtzzIukqRpyOHecgG60fFUN 0QyyXaVnYgQcJ6wpto3nnyq6Web3eH7z7neRYoIquHiH1x6HWpd9Ql/G7UsNwxSJXgBooiJLoDGl+d 8=
Received-SPF: pass client-ip=167.89.55.65; envelope-from=bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net; helo=o1.7nn.fshared.sendgrid.net
X-W3C-Hub-Spam-Status: No, score=-6.9
X-W3C-Hub-Spam-Report: AWL=0.646, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cK5Sv-000544-GJ 9e52ef4b381631e299174bdd620da124
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Expectations for TLS session reuse
Archived-At: <http://www.w3.org/mid/CAOdDvNqPDssNmSscgk3chbPg+Uw53_nqFrv+OzhTHWA=hTvwLg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33220
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, Dec 22, 2016 at 7:25 AM, Richard Bradbury <
richard.bradbury@rd.bbc.co.uk> wrote:

> the position is the same for HTTP/1.1 as it is for HTTP/2



I don't think this is true. H1 is governed by 7230 section 9.. in practice
it is a connection per origin:

 The "https" scheme (Section 2.7.2
<https://tools.ietf.org/html/rfc7230#section-2.7.2>) is intended to
prevent (or at
   least reveal) many of these potential attacks on establishing
   authority, provided that the negotiated TLS connection is secured and
   the client properly verifies that the communicating server's identity
   matches the target URI's authority component (see [RFC2818
<https://tools.ietf.org/html/rfc2818>]).

whereas H2 loosens that a little bit for coalescing in 7540.