Re: [quicwg/base-drafts] Deny 1-RTT Rx keys till finished (#3174)

Martin Thomson <> Thu, 31 October 2019 01:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DF1FA12006D for <>; Wed, 30 Oct 2019 18:11:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0ZmQSXCcLJq5 for <>; Wed, 30 Oct 2019 18:11:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4E2E212006B for <>; Wed, 30 Oct 2019 18:11:58 -0700 (PDT)
Date: Wed, 30 Oct 2019 18:11:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1572484317; bh=0nN+QkmirEOJjp/oaYxLp/HXbW+xksIkUB5N79XWr50=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=eZQqev4tUooufiB1O1Sf6wUOIzeWyW1BPhz9HVsqEqD7E7SR+pLw4B3Vqas6wcVqw CkGeg9tlptBZDYX94TBZ1rZLq1uThtx+a5M/Zz/VzddoU4aHWssWpdPyR2Q7wX7qsv OKMomR+IHpaFRuoxBLJGyyCFlIEmcvb4NXkmwinY=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3174/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Deny 1-RTT Rx keys till finished (#3174)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5dba34dd698af_33c83fb656ecd960123162"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Oct 2019 01:12:00 -0000

martinthomson commented on this pull request.

This seems fine, though I was a little concerned about levying requirements on TLS stacks in this way, it seems like a reasonable thing to recommend.

> @@ -504,6 +504,9 @@ client could interleave ACK frames that are protected with Handshake keys with
 0-RTT data and the server needs to process those acknowledgments in order to
 detect lost Handshake packets.
+A TLS implementation MUST NOT provide a 1-RTT decrypt secret to QUIC until it
+has received a Finished message from the peer.

the TLS handshake is complete.

Receiving a Finished message is not sufficient, as you have to verify it.  Also, at least in our stack, verifying the Finished is not the only condition we hold handshake completion on.  We also wait until the certificate is marked as "OK", which is an asynchronous process and so might happen after validating the Finished.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: