Re: [quicwg/base-drafts] Clarify the state a client stores with a token (#3150)

Kazuho Oku <> Tue, 17 December 2019 05:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4B01C120098 for <>; Mon, 16 Dec 2019 21:16:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X_3P1LmlMYUe for <>; Mon, 16 Dec 2019 21:16:13 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E4D44120059 for <>; Mon, 16 Dec 2019 21:16:12 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 13E8EA0064 for <>; Mon, 16 Dec 2019 21:16:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1576559772; bh=KkxAuZbkNkhQk00AySOS1/mg3efG7kNvVDt30apfkHU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=ESe+4BRRwvCn7rpSaqe6EhaDsBMPYw9S10KskNuP5m0VijAjzNGbzO17FxzvQvE+D TOvOfn/o3Ma6nPvwqXe28Pzt6UdDeg1wBbq5Uy95EnW/zbAUcmQHCVXoE5y5mirDok MMCyYT31SOJecc8lyq5xUuclenoKC92N25Ul7+V0=
Date: Mon, 16 Dec 2019 21:16:12 -0800
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3150/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Clarify the state a client stores with a token (#3150)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5df8649c3a25_4713fa3648cd95c2998c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Dec 2019 05:16:14 -0000

kazuho commented on this pull request.

I have some editiorial comments, but the design looks fine to me.

While we might embed some information related to 0-RTT configuration in QUIC tokens, they would be decryptable and be usable, so we do not think there would be a problem for us (thanks to @martinthomson for checking).

> @@ -1741,7 +1741,8 @@ its Initial packet.  Including a token might allow the server to validate the
 client address without an additional round trip.  A client MUST NOT include a
 token that is not applicable to the server that it is connecting to, unless the
 client has the knowledge that the server that issued the token and the server
-the client is connecting to are jointly managing the tokens.
+the client is connecting to are jointly managing the tokens.  A client MAY use a
+token from any previous connection to that server.

Maybe this sentence can be subsumed by the first sentence of the same paragraph that discusses the applicability of the token?

> @@ -1792,6 +1793,12 @@ able to reuse a token.  To avoid attacks that exploit this property, a server
 can limit its use of tokens to only the information needed to validate client
+Clients MAY use tokens obtained on one connection for any connection attempt
+using the same version.  When selecting a token to use, clients do not need to

It might be better to say: _using the same "QUIC" version_.

Also, I think it might be a good idea to gather the discussion about applicability to one place. At the moment this PR scatters that to three places: one being the change above (and the first sentence of that paragraph, which already exists), and the provisions being added here.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: