IETF Logo Mail Archive

Re: [TLS] consensus call: draft-ietf-tls-ticketrequests

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 05 March 2020 05:53 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B1333A0D7E for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 21:53:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFCi9KHnC8R8 for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 21:53:06 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FF383A0D8D for <tls@ietf.org>; Wed, 4 Mar 2020 21:53:06 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id A9C321AFFBC; Thu, 5 Mar 2020 00:53:05 -0500 (EST)
Date: Thu, 05 Mar 2020 00:53:05 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20200305055305.GX7977@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <4E07012F-AB53-4727-A309-D8A15222A433@sn3rd.com> <0E7E2E43-CC46-488E-981E-BF8417821D85@sn3rd.com> <debd3b67-4089-a108-c285-45dccd8cc114@cs.tcd.ie> <CACsn0c=dS3sGRhT5kZGduhR3MynuxDSRnsA2a=kfpyu_0NWKPw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACsn0c=dS3sGRhT5kZGduhR3MynuxDSRnsA2a=kfpyu_0NWKPw@mail.gmail.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2bJCbC75eLVLBggsZ8ZL6ybj3Fg>
Subject: Re: [TLS] consensus call: draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 05:53:15 -0000

On Wed, Mar 04, 2020 at 08:32:45PM -0800, Watson Ladd wrote:

> > Yes. I think Viktor's use case is one to not bugger
> > up (even if one doesn't need to support it) and don't
> > see how supporting it breaks something. (While also
> > disliking generic ticket reuse.)
> 
> It's not the usecase: it's the program. Postfix made architectural
> choices that make storing tickets allegedly expensive.

These fit into a existing archicture of security-hardened
privilege-separated ephemeral processes that handle a modest number of
deliveries and exit to be replaced by new processes, concurrent
delivery (within sensible bounds) to the same destination, because
serializing all output to the same destination really kills
performance, ...

The architecture is actually reasonably well thought out.  It is true
that Postfix could probably learn to have a multi-slot cache, and to
keep updating on each and every resumption.  But the shared ticket cache
is backed by Berkeley DB or LMDB, and especially in the case of LMDB's
copy-on-write design a high write rate (hundreds of new tickets per
second) is not particularly appealing.

In any case, Postfix is but an example of an application where ephemeral
tickets are mere security theatre, there is simply no privacy benefit,
and no plausible use-case for early data.

I am all down with discouraging ticket reuse, not enabling it by
default, ... but none of that amounts to a sound reason for precluding
reuse where non-reuse has demonstrably no value.

> I would be a lot more sympathetic if Viktor could provide actual
> measurements with actual numbers demonstrating that rewriting tickets
> is an insurmountable obstacle, given all the other time taken by
> opening connections and sending mail.

Why does it have to be an insurmountable obstacle.  What's wrong with
the observation that I have a well-oiled mature code-base that works
well with multi-use tickets, and would need significant refactoring to
take advantage of ephemeral tickets.

It is true that with returning a fresh ticket each time, the cache churn
is not a *disaster* for Postfix, but it is unnecessary, and not just
Postfix, but also other application can benefit from avoiding ticket
churn security theatre.

> There also is the possibility that a different architecture that
> reduces contention on the cache (say by not having multiple processes
> attempting to open connection to the same server at once, or switching
> to storage system that accomodates multiple simultaneous writers)
> would have better performance.

So I gather I should trade-off optimizing mail queue management for
optimizing ticket cache management?  (I don't think so...)

> 0-RTT=> replay=> either single use tickets or idempotent methods only.
> And then we learned that websites don't have idempotent GET always.
> Hence the interest in server side enforcement of single use tickets.

There's no GET in SMTP.  The transaction starts with a 220 greeting
from the server to the client.  Then eventually STARTTLS, and a new
EHLO from client to server.  There's no 0-RTT, no early data, ...

I think a singular focus in this WG on HTTPS as the sole motivating
use-case is unfortunate.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email