Re: [TLS] Resumption ticket/PSK
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 19 May 2016 20:01 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E255B12D6D3 for <tls@ietfa.amsl.com>; Thu, 19 May 2016 13:01:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fAIUm8RjW1Dd for <tls@ietfa.amsl.com>; Thu, 19 May 2016 13:01:25 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CD7212D66C for <tls@ietf.org>; Thu, 19 May 2016 13:01:25 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 69037284F26; Thu, 19 May 2016 20:01:24 +0000 (UTC)
Date: Thu, 19 May 2016 20:01:24 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20160519200124.GG3300@mournblade.imrryr.org>
References: <CAJU8_nVhM+xOnt8D8UJ8qvWUFts3s5n3gOQvJZYs=XWymfVOVQ@mail.gmail.com> <CABcZeBM8R8LC0wQfxp63BzfjRvLh4sYh4HdT5KZ8LXe2uE3GgQ@mail.gmail.com> <20160519190508.GE3300@mournblade.imrryr.org> <CAJU8_nW5jqO3DSvZZNpNQThnCb3P4bCBjE47uhjPRPB1ix6_mg@mail.gmail.com> <20160519191930.GF3300@mournblade.imrryr.org> <CAJU8_nXkSLxWJ3NdoXrqAgg3vD_mxRmGET82Di==wy9tSAewbA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAJU8_nXkSLxWJ3NdoXrqAgg3vD_mxRmGET82Di==wy9tSAewbA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/0iLwnM3pjRgRtI9CQNBX49YxOFU>
Subject: Re: [TLS] Resumption ticket/PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 20:01:27 -0000
On Thu, May 19, 2016 at 03:45:26PM -0400, Kyle Rose wrote: > > This is only relevant to a particular type of client, and should > > not be default protocol behaviour. > > I suspect the root of arguments for/against this proposal are > philosophical more than technical. I disagree with your contention > above that client-behavior-only is sufficient, because my definition > of "sufficient" includes something about resource usage on the server > in pursuit of the privacy desires of the client, which you implicitly > admit to below: Well, if a client is not behind a carrier-grade NAT, it is readily identified by its network address until it obtains a new one. So the tracking identifier is at layer 3 and TLS won't change that. Nevertheless, some clients may want to attempt to gain fine-grained protection against correlating back to back or parallel resumption requests. For this they'd have to ensure that all session tickets are single use, and either perform new handshakes when increasing the number of parallel connections to the server, or somehow obtain more than one ticket within a single session. The proposal is rather complex, and often still not effective. For this reason, I'm suggesting that the complexity should not be specified as a default behaviour. There's a lot clients can do unilaterally, and a new extension can be designed to close any gaps for clients with "greater needs". -- Viktor.
- [TLS] Resumption ticket/PSK Kyle Rose
- Re: [TLS] Resumption ticket/PSK Eric Rescorla
- Re: [TLS] Resumption ticket/PSK Kyle Rose
- Re: [TLS] Resumption ticket/PSK Viktor Dukhovni
- Re: [TLS] Resumption ticket/PSK Kyle Rose
- Re: [TLS] Resumption ticket/PSK Viktor Dukhovni
- Re: [TLS] Resumption ticket/PSK Kyle Rose
- Re: [TLS] Resumption ticket/PSK Viktor Dukhovni
- Re: [TLS] Resumption ticket/PSK Martin Thomson
- Re: [TLS] Resumption ticket/PSK Viktor Dukhovni
- Re: [TLS] Resumption ticket/PSK Kyle Rose