[TLS] TLS Cross-SNI Resumption
Victor Vasiliev <vasilvv@google.com> Sun, 12 July 2020 21:23 UTC
Return-Path: <vasilvv@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1DED3A090F for <tls@ietfa.amsl.com>; Sun, 12 Jul 2020 14:23:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rOvtju83TLW for <tls@ietfa.amsl.com>; Sun, 12 Jul 2020 14:23:20 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B01363A07C4 for <TLS@ietf.org>; Sun, 12 Jul 2020 14:23:19 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id q4so13369451lji.2 for <TLS@ietf.org>; Sun, 12 Jul 2020 14:23:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=w+TjI0qPacvWCICrg8gdliExyu8llqy9Qc8EaMliTpw=; b=vJQJ3YoZ9sAqxEFqCHPppaTWzCf42u/QCPUJ3NNmT6D74/GZ8WiH6wt9hOMQAHZhTl AY043nU8+T8gI91h1SfB5KEQDt/1TGGkdUO0G2sfQiegG7lM4jVePF0iZoAOOV43O1Bh 5vX/rlEYnSSyBe74IQe7OFlExTkgy2fV3qEYsL2v5rEm5eVFadtYwFcr+7HJLTp3Rbp9 Vhpf/LMyaJYqWXlUcLPt0jEZ8f8CiFDCQq1ht1Y/9KqO+3wKEgWyyPUtybzlhy+NguAB CrpDl373emGhgLwmS3EX7ikHMMLmAeGex++R+1EorOi5YjRme5UiQHDOrMJ1Hmd1sF01 qT+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=w+TjI0qPacvWCICrg8gdliExyu8llqy9Qc8EaMliTpw=; b=Svs/6V2fjhBkDil3dvK+FdxeYY+oxnmyPczeaCZiP8wA3FmSPoLGjYesPx8y+qCCQZ 4+AxIH80Oz06Ke95YzACCht/oyeU7b71R3h7nXGgwquoC83KVDjFNrU1R612P9j+UN0o kA0RdazsQzsk9ISjcxNepPhjVYaOXPeNVCOBR5AvyxOYrYOEbbPjQgO78zVQfjg/YCaK SPdXlc3XqU4BOOf/30BY6lqgXQ4hincWroO8gniG49SffiUU5mwVKSiNOfiE7I/wJmfv fUUQi3YdM+4Nt5tfDqdaC5lZB0deWbzmJWj4z8swKtR9BVWMpE9zOAYBlXE6Yr+G5aaU j4UQ==
X-Gm-Message-State: AOAM532++VjzQMVqwoiECBwLxjylHB2e06+NFnZ180K8GigB0Viy0XnI MiLje5qxPINDRfQ93ueCEEvf/Rm4UcT5g4uIhJm0QWPOXPI=
X-Google-Smtp-Source: ABdhPJxR0j7buluhQ+1Elv5jNmZH8tpseUwuyDqe9yNYLE9NAXrbTUb0LwBpt3TWptazLFlYEj+yX1Xs0wxAlh7f6Fg=
X-Received: by 2002:a2e:80cc:: with SMTP id r12mr42775120ljg.344.1594588997072; Sun, 12 Jul 2020 14:23:17 -0700 (PDT)
MIME-Version: 1.0
From: Victor Vasiliev <vasilvv@google.com>
Date: Sun, 12 Jul 2020 17:23:06 -0400
Message-ID: <CAAZdMaffk7bbSWprsagRucOVtnOikeac--QWR+zOnTTFYPxS-Q@mail.gmail.com>
To: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bd575005aa452e91"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/19YnabLK2mHlZ4NybJ-J4faY0CU>
Subject: [TLS] TLS Cross-SNI Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jul 2020 21:23:25 -0000
Hello everyone, As some of you might remember, we've had multiple discussions in the past about letting the clients do session resumption in cases when the SNI value changes, but the original certificate is also valid for the new SNI. Originally we talked about this <https://github.com/tlswg/tls13-spec/pull/1080> during TLS 1.3 standardization; the conclusion back then was that resumption across domains is fine in principle, but the extension used to opt into it should be shipped in a separate document. One such document was proposed back in Prague: https://tools.ietf.org/html/draft-sy-tls-resumption-group-00. That draft unfortunately hasn't progressed since; I've tried contacting the author back in March, but got no response. I wrote a draft that does a similar thing: https://tools.ietf.org/html/draft-vvv-tls-cross-sni-resumption-00. This introduces a NewSessionTicket extension, which was the original approach proposed back in PR#777 <https://github.com/tlswg/tls13-spec/pull/777> (draft-sy-tls-resumption-group used CH/SH extension). What do people think about this? Cheers, Victor.
- [TLS] TLS Cross-SNI Resumption Victor Vasiliev