RE: Key updates

Nick Banks <nibanks@microsoft.com> Mon, 06 August 2018 14:26 UTC

Return-Path: <nibanks@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F463130E43 for <quic@ietfa.amsl.com>; Mon, 6 Aug 2018 07:26:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaUyIM-QOIn5 for <quic@ietfa.amsl.com>; Mon, 6 Aug 2018 07:26:31 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0134.outbound.protection.outlook.com [104.47.38.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B6D7130E3B for <quic@ietf.org>; Mon, 6 Aug 2018 07:26:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hyOWSHkn0s5Dfr6YMXWw0iEGy/pOsgWwikLEaCV2ZSI=; b=iO50yzBEPAE2FSKSMYszbhO9836w8pZjwYXEYZPeqhIjp18Ob03vA/qnj1XxfgGgFyPTwjI9jOr6kROSGpC4gmdjsO5IIpQJJr+BJYsm1JeWGEIxx7FzivRDcbGm4jbTpJ8Pnx6T+L9HbjwP0TImECxTeVF1yqWLrkyY0KBlEL4=
Received: from DM5PR2101MB0901.namprd21.prod.outlook.com (52.132.132.158) by DM5PR2101MB0984.namprd21.prod.outlook.com (52.132.133.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1059.2; Mon, 6 Aug 2018 14:26:29 +0000
Received: from DM5PR2101MB0901.namprd21.prod.outlook.com ([fe80::60b8:4702:aa5f:f00]) by DM5PR2101MB0901.namprd21.prod.outlook.com ([fe80::60b8:4702:aa5f:f00%4]) with mapi id 15.20.1059.003; Mon, 6 Aug 2018 14:26:29 +0000
From: Nick Banks <nibanks@microsoft.com>
To: =?utf-8?B?TWlyamEgS8O8aGxld2luZA==?= <mirja.kuehlewind@tik.ee.ethz.ch>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>, Martin Thomson <martin.thomson@gmail.com>
CC: IETF QUIC WG <quic@ietf.org>
Subject: RE: Key updates
Thread-Topic: Key updates
Thread-Index: AQHULUoxGA6n/s8xp0e95A4jtAlbpqSyq3qAgAAGoACAABR4kA==
Date: Mon, 6 Aug 2018 14:26:29 +0000
Message-ID: <DM5PR2101MB0901C67F9B1F8A2DE765417AB3200@DM5PR2101MB0901.namprd21.prod.outlook.com>
References: <CABkgnnW9-Jn1CH0rSwbtDmMrOZ+jstugVsOpWtShDJgT_KSyOw@mail.gmail.com> <CAKcm_gPXFXZc4ysm7ugG0T8GTWjgcO9hvO6ATj0MRiEufie=bQ@mail.gmail.com> <193166ED-C8C3-4A6B-9483-5546C34B5BDA@tik.ee.ethz.ch>
In-Reply-To: <193166ED-C8C3-4A6B-9483-5546C34B5BDA@tik.ee.ethz.ch>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=nibanks@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-08-06T14:26:26.1452004Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:9:1c1c:20b4:5d26:abec]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR2101MB0984; 6:+uDKWriplhbvi5tU1t2r187czWpQBJRgbx4owoXXE61MV+WPpwPBBEXtY3gM4yxWudae2Apv9bRNg9udqFB149RbnCk4jeny2hlTFvw4K/uBQUSRUxnZ/3dBmkppaIcqrDRJH2GCaCGZlwRYGf+6kr7IH06+7HhI/wGGllzyi0yq1UOltAIGWdYkxXQ7KPD+9q5XmZg38r9Sm4uoLzrWGaB7NY1ihiq9jBIu2qXZRp83pXSZuq3M9p2tsNJZTDWCbhGerLaIa8bSiKXxz99Sh+Qyc7fVZ+YxJQGULelCEfo2M/y3LTlR45TcT8cFkjAlkxBjibz5WkKfULOQSjuMJFRfcJe5Tulq9tMW3yTUw5jIg3PemzA4zo1siQQMB+/gDaqyo/Fcy0gWAoyY7Kedg9NZ092KhzCtHelJ+IU2I1mDlTV3Xjw8mhGoaVxTkCObPmgzzDCY2UVAYhU5O/Nk1w==; 5:/nPgb0wrN6tPkIBCrtAf8jX/86blcb07AzN7KqPsrTIVyVcWR0F+D4GsKhKw2cgoKbjK5WuyZ/swmj8GXkAftvp9+B8cg0v6A2xPzLlD+R9X4SZjxZtDpnYznbdmzqwmjx4iG4dvJaj/VmQUAgPQN5npTcyeoN6RzUyJ7JQPOWM=; 7:holE3jOrGQVhK2DupPDXt6cD/NnKtAPf+9F3QTu82B4s7NEn3DpXwUMoaBwBzqroIaGhpY0C8SWodIdb1u3e4cHPxGmoY1oc/IuWXNngjbIJAIRfkALqQ0dNiHe3uDLIY1Mkhez+LMTnHA3kmRdCiCkOBi2rfwlfj4k6l8Se3bLihHxqulvQC0YDKyZnHXGk24TPffkmplEO4zIa9Cn7W0ygnNgmuqShXIw+V2rw4fde1GvU8Bv0pT6hkuFV5TQH
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: e01fe4e6-318f-4705-ffbd-08d5fba89987
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7193020); SRVR:DM5PR2101MB0984;
x-ms-traffictypediagnostic: DM5PR2101MB0984:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=nibanks@microsoft.com;
x-microsoft-antispam-prvs: <DM5PR2101MB0984CB804C0016EDCBB01364B3200@DM5PR2101MB0984.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231311)(944501410)(52105095)(2018427008)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:DM5PR2101MB0984; BCL:0; PCL:0; RULEID:; SRVR:DM5PR2101MB0984;
x-forefront-prvs: 07562C22DA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(39860400002)(136003)(376002)(396003)(199004)(189003)(486006)(10090500001)(10290500003)(105586002)(6116002)(86362001)(9686003)(2900100001)(33656002)(476003)(229853002)(5250100002)(55016002)(7736002)(46003)(81166006)(305945005)(22452003)(8936002)(8990500004)(11346002)(106356001)(3480700004)(446003)(53936002)(86612001)(8676002)(81156014)(74316002)(68736007)(316002)(110136005)(7696005)(186003)(99286004)(221733001)(14454004)(478600001)(76176011)(4326008)(97736004)(25786009)(5660300001)(39060400002)(7116003)(6436002)(15650500001)(256004)(6246003)(2906002)(102836004)(6506007); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR2101MB0984; H:DM5PR2101MB0901.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: MsB1RmJArGyeKG1/7S+tfXTIXdio5HSh+vAr2LlFpRTVLszn6mY98QiKgCs4RNsCaEPesxxn6rAuolD+Ya/hkB8xaWbgung/SDod6AM0Md2Va6zYJLOS1IViAP3WuXqd/GGjmDQD6VquGdrpp/+EgKHQX2OX8rc4EvT4T7ZGGa9m1lE7JDI4HwCbjFcfoaIW+4cU9EQtU6OZ3onF83kndEFqat6iOeBV3Mbm57Gxt/IoVzPGDOMt3YRwflobrKI37tKhl9qRe37bAUhihW8dLtWyIbVjkm3fiUpwe8wGR6x+Ja6LemlYlA/2R2GGjpvn1//0AMdQQGmG18G6RZk+piE2/nUIxh4iJ5SXRGAW/e0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e01fe4e6-318f-4705-ffbd-08d5fba89987
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2018 14:26:29.0786 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2101MB0984
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/D0VIzdAJ8cApsJq8YAdG31AFJFM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2018 14:26:34 -0000

On the topic of who drives key updates, my preference would be toward QUIC. I prefer QUIC to have as little dependence on the TLS state object post handshake as possible. Preferably, I'd like to  be able to throw away the entire TLS state object some short time after the handshake. Obviously this would only be possible if no further NST will be shared, but I believe there are several cases where this will be true. This would allow a more memory efficient design, especially on the server side.

As far as punting this to the next version, I also think that might be a good idea. I further agree with Mirja's suggestion that we should still give some consideration now, so as to make the move to the next version easier; if we go this route.

- Nick