Re: [TLS] Simple, secure 0-RTT for the masses

Bill Cox <waywardgeek@google.com> Tue, 15 March 2016 20:18 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A230E12D759 for <tls@ietfa.amsl.com>; Tue, 15 Mar 2016 13:18:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m26kkbV3GXDA for <tls@ietfa.amsl.com>; Tue, 15 Mar 2016 13:18:14 -0700 (PDT)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32BC712D682 for <TLS@ietf.org>; Tue, 15 Mar 2016 13:18:14 -0700 (PDT)
Received: by mail-io0-x22d.google.com with SMTP id n190so38606150iof.0 for <TLS@ietf.org>; Tue, 15 Mar 2016 13:18:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=CidcAe+qQ7+yjynbakBsw9/jjJeCIYnlw66/rhSPc4U=; b=SVmOJ8p6Z1VQbFPPIRQ1qMdRtGlSYwUy8TH/1GfEaLErGqCgyxI8RcfNz6/y+YB0/k jjGEsi6S9FujtbWfRWhqy9E6UsRxs7e4fytBPqqjA060WpnuNUMartwSoOMWgi+9iTng gKPG7pXUOrqriyr3eir25ku4FL6cAfEiyB2yTi1gpOxrE7JOM7osNGV12E+zLJICn9i4 Z9JBd7YV4eyats0miJ6J1LVfULsBVvBwsQPGJSwve94OcfMhy7/S8qpAFn4V24u20B3e pLNy3IKCF6c6RR8fPeHogXILhxCAkMOpZGZ0z2sS/lDI1XxOihExLDzDbEtpzX/OMoCi Bbbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=CidcAe+qQ7+yjynbakBsw9/jjJeCIYnlw66/rhSPc4U=; b=MieTwW69+qZlbo7Qd6zCSFF8CX6u3b/f260rzTWYplAiChCXjQ5J44AOS5XvVA0c1Z KQOM3K03jKAVgnRebulpvUIbhI8rI4mboCyD9SCuExvWH545bBfupbVaxhGxd46LOGOG J4WhXR1lZ6qpSa3qEEOZLZf7oAvT0+7UM/YOqvf6YvwJvKdjXGdM0g8QrP3yRQIQBS3+ OSFJBW8108xTKvI5EVC1nvmwMV+1MRg1LCq6OlfgSH+N3IBREKIoeVWEL7WAlyyFVQIk 7HSKmZiWpxLR7gjd4KU4uv/Ad608iYtDF752Q1vzHSbZynveVQzoInPYX6G/ibC+aui/ Butg==
X-Gm-Message-State: AD7BkJKeVBpA2GbgEdYFTkNK309PzUciFhyoBBrEDpMwIi4XE15r7t3OrZ4If1XZ/OtgJkUhuoRar2sgwix7mLY+
MIME-Version: 1.0
X-Received: by 10.107.131.169 with SMTP id n41mr646264ioi.132.1458073093325; Tue, 15 Mar 2016 13:18:13 -0700 (PDT)
Received: by 10.107.137.80 with HTTP; Tue, 15 Mar 2016 13:18:13 -0700 (PDT)
In-Reply-To: <CAH9QtQGdZ9=XG-Qc5G6amM1pOnBse5jZndL0kExxArWXoQbhsQ@mail.gmail.com>
References: <CAH9QtQGdZ9=XG-Qc5G6amM1pOnBse5jZndL0kExxArWXoQbhsQ@mail.gmail.com>
Date: Tue, 15 Mar 2016 13:18:13 -0700
Message-ID: <CAH9QtQFQq1hVR-cUJPiP4T3kamTOmZf8U3pqhi-xEGq7vrN-WA@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary=001a113ebf84c911d4052e1c18e2
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/0UBBvB9xXAXfsgxVbPBkXBaF1Vo>
Subject: Re: [TLS] Simple, secure 0-RTT for the masses
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 20:18:15 -0000

Correction:  TLS 1.3 PSK resumption already requires a client-side
session-cache, in order for the client to load the previous session state
and send 0-RTT data encrypted with the previous session secrets.  So, using
session caches on both sides seems to be the simplest safe 0-RTT mode
compatible with TLS 1.3.

Bill