Re: [TLS] #445: Enhanced New Session Ticket
Eric Rescorla <ekr@rtfm.com> Thu, 28 April 2016 20:44 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2286212B04A for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 13:44:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bEnSYBLsaLT1 for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 13:44:24 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECFC812D65C for <tls@ietf.org>; Thu, 28 Apr 2016 13:44:21 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id g133so127119336ywb.2 for <tls@ietf.org>; Thu, 28 Apr 2016 13:44:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RDhpLWrGu+qHT1NGG2fIXXAl+h5gf0RKvB7e6HzDhdA=; b=RinFObf3afuB+mowKuuNnia8nPmMReZs+KwEHQzetsfO8dCsXO58TqzW0TQR11+tN0 O7vRwd9hCFdEHsA8JuwbOCJWF6BlNlmrEBTURA+zwmehrFBbt90n0qFFdRQZNPYFJLnT FLqIlhzoWLxR7A90kxPPLI+KO2OttKJuU5nlvXAy1FBQcnphpB305vzRrwdLNh8BxhzO wDe3Rt+smFOItnw2CF7QLxBGsB0MAFapHRQ5mqQBXrzM7XJbhOzzWSw+Jcy4FCAWr3Gw WLCDTX6QELs4Zd27KCr7NtxGEzTKjgSA0NsqqAPKDhdbKykAHF+Mo9UNn298nhPdSzIf W7TA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RDhpLWrGu+qHT1NGG2fIXXAl+h5gf0RKvB7e6HzDhdA=; b=k3ihrdQefpTQnVi1MabZ2K0usjMYkEUEXJQRsdw9wWrz31p+TpiBbXMUBSN4ESgHSB +EJSfKZk1xBwDtmJQBM4whwIsAgG85HlMGwAQjv32rHDs8J9Dm1J0EJmBxZ0P5e0jjUD EhpOShDp9nHZi8Frckj/QEBvHV54v6+OONG+reQ4L5chvRHHwzxRmqDyMqPfHgsWsqqa W4i7kS+e23fbWmEVNXyUkVUnaXFzBLbVeM33mfAxH32RmdxgLmEydIb+PVRZVlkzQP4y 2S0HnKPYyZux9/Utasr/keMaGrmExnjZPfCOB+kqhJEbBMFEIDznTKSQAdnshKnIEfhK I+eQ==
X-Gm-Message-State: AOPr4FUdc6jOVjM5YoRYnMQmhe7y4ZMTaDMUf94BZGIVg9IY/ROWH1R6B5sAGors7Hg4V2fot6+znc/ucVEFFg==
X-Received: by 10.13.237.1 with SMTP id w1mr9160523ywe.62.1461876261208; Thu, 28 Apr 2016 13:44:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Thu, 28 Apr 2016 13:43:41 -0700 (PDT)
In-Reply-To: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 28 Apr 2016 13:43:41 -0700
Message-ID: <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="94eb2c0864a84174c8053191978e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/0a8FTY66KDe_XvHkidqew1i0JNo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 20:44:27 -0000
On Thu, Apr 28, 2016 at 12:32 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > Some comments: > Please note: this PR is still a WIP. I'll be updating it in a bit... > - I presume 0-RTT used in retried ClientHello uses (and for the verify > mechanism to work, that needs to be allowed!) uses ClientHello1... > ClientHello2 as its base hash? > I don't think I understand what you are asking. Can you rephrase. > - Is that 0-RTT Finished message needed? It is the only 0-RTT handshake > message... > I think so it's a proof that the client knows the key. Also, per the discussion in Buenos-Aires we expect to be adding > - Server can send CertificateRequest in GDHE-PSK or PSK mode??? > Is there a reason that's undesirable? Note that it can always do post-handshake authentication, so we need to ensure that this is secure. My understanding is that because it covers the server's Finished, it therefore builds in the PSK value (per the analyis from Scott et al.). Do you have a concern with this. - What are 'etc' for parameters for 0-RTT data? Use the present > extension list here and have any future extensions that matter here > explicitly define their interaction. > The list is an example. The operative word is "all". - The requirement for server to validate its extensions... Hopefully > there is no security reason for that... I really don't see it being > implemented correctly (and the description looks completely screwy[1]). > This is an important requirement. For instance, you need the same ALPN value. > - 1 RTT server context presumably ends in CertificateRequest, not > CertificateVerify (the Certificate and CertificateVerify are > impiled). > I'm not sure which section of the draft you're referring too here. - You might want flag for if server promises replay protection or > not in NST. > We discussed this in BE and the consensus was that it was not clear how the server implemented this and so it was unwise to promise it. > - You might want to specify that allow_dhe_resumption doesn't > change key exchange, only authentication (so DHE_CERT becomes > DHE_PSK and ECDHE_CERT becomes ECDHE_PSK). I'm not sure I follow. It changes key exchange. If we want to have a resumption mode that has the server sign, we'll need a different indicator here. [1] There are many extensions that are not relevant because those > control server authentication (e.g. status_request, status_request_v2, > signed_certificate_timestamp, server_certificate_type). And some that > are low-level connection control (e.g. max_fragment_length) Yes, I am being conservative here because false positives don't seem like they will happen a lot. ALPN is special here tho: It needs to match the impiled 0-RTT ALPN > (does one want that extension in 0-RTT case anyway?). > Yes, you absolutely need ALPN for early data. -Ekr > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara