IETF Logo Mail Archive

Re: [TLS] Removing restriction on cross-domain resumption

David Benjamin <davidben@chromium.org> Thu, 14 September 2017 23:04 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65DED1321EB for <tls@ietfa.amsl.com>; Thu, 14 Sep 2017 16:04:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id raN5H2AmKFRK for <tls@ietfa.amsl.com>; Thu, 14 Sep 2017 16:04:08 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADC381321B6 for <TLS@ietf.org>; Thu, 14 Sep 2017 16:04:08 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id q11so4343790ioe.10 for <TLS@ietf.org>; Thu, 14 Sep 2017 16:04:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8QCzQXFLeVu6TI+dRpo9YBij4lgvPMU+3p4BBIrvAyM=; b=YIAAQLBj9iYY6iwFHYRTZcBttEWKnTBxjfnFD103OJPsUuICn87PfllxILYbuD1312 RiEhvwT1KtCY0ew5oACDhYUuF+P0P3AjWckGZu8GUe0VuDs3FfSSM0SIESFfm6aIQN+4 aZ/0SuyR97HMmJuZNqwYmNMgVvNTg2Y8krePM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8QCzQXFLeVu6TI+dRpo9YBij4lgvPMU+3p4BBIrvAyM=; b=sdQoWk4lpADJMJ9SqCqUhLpR2QcgsNtmcQdoYt1eD2XMEsNIMfoQ7VxF/Eg+ZbeK8R 3/THryuUyboC9kO30jTqYfUuKLaWK8UpdnBnkVwIAcFVGir7dTMmgECq+Fskr5FrkJ12 NU2/5TcXbta9NXc85ETJljmgejrCcn4Uk4HkRWuWdhPQ8G6oFyvC4m0zzjNfkvZfjI6t kg3RMRkzCXZB4AdqjC2CJOVo+81pnEr14KHqILnGKkmaN8khpVsTVsEHyX8LOPEJy5qZ ijj+ayXDq/dLVrFU59huAXp1dWqaKHaViGixwj+AAfX2SLxmj8Ux7ErXBgiszJMK4Yti c4oQ==
X-Gm-Message-State: AHPjjUgOL5rlOwz/RlQKNyVbu2FR9+Vw6hA1oo1q9h4NBjWK1/Ai04HK 8Cju+WA7IzfKLG1OFxT0Vaxm+UOb1wM1KxCaUyjU
X-Google-Smtp-Source: AOwi7QCdi9CtlgAQfbhNIFxVz5VOyW5Ry2VKBEGbpSJqBpZGvAtxjoWsT8aWDeWiC3uwmZ0nt7GPJ8B+E4fKKjvldRI=
X-Received: by 10.107.162.145 with SMTP id l139mr655271ioe.193.1505430247820; Thu, 14 Sep 2017 16:04:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAAZdMaeHTBw-2ZTzO5hzD==hywBBeEcOaofPm2wuNHy7LQxLpA@mail.gmail.com> <CAH8yC8m=t4PMvrCo-68A4R7kft+CCtLBscEp_D3Z_Mn5C2Y1bA@mail.gmail.com>
In-Reply-To: <CAH8yC8m=t4PMvrCo-68A4R7kft+CCtLBscEp_D3Z_Mn5C2Y1bA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 14 Sep 2017 23:03:57 +0000
Message-ID: <CAF8qwaAhNYZrA1a19Tk5C6cUQo+vUaRBUKUcE59GU=Q_FzVkrA@mail.gmail.com>
To: noloader@gmail.com, Victor Vasiliev <vasilvv@google.com>
Cc: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140feaa287c3b05592e4b3f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2eivqY2hXq1ph6G1_cuOUK9vEQY>
Subject: Re: [TLS] Removing restriction on cross-domain resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 23:04:12 -0000

On Thu, Sep 14, 2017 at 6:42 PM Jeffrey Walton <noloader@gmail.com> wrote:

> To play devil's advocate, will the TLS stack need to keep a copy of
> the certificate or authorized origins (an origin group?) for future
> connections?


Implementations that don't retain enough information for it can always just
not offer sessions across domains. What resumption patterns to support and
what state to retain to support those is an implementation decision.

But stacks I've seen already retain this anyway. It's common to have APIs
that retrieve the peer certificate and for resumption to be more-or-less
transparent. That combination implies sessions must retain the peer
certificate to resurface when asked.

David

v2.23.0 | Report a Bug | By Email