Re: [TLS] Removing restriction on cross-domain resumption
David Benjamin <davidben@chromium.org> Thu, 14 September 2017 23:04 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65DED1321EB for <tls@ietfa.amsl.com>; Thu, 14 Sep 2017 16:04:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id raN5H2AmKFRK for <tls@ietfa.amsl.com>; Thu, 14 Sep 2017 16:04:08 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADC381321B6 for <TLS@ietf.org>; Thu, 14 Sep 2017 16:04:08 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id q11so4343790ioe.10 for <TLS@ietf.org>; Thu, 14 Sep 2017 16:04:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8QCzQXFLeVu6TI+dRpo9YBij4lgvPMU+3p4BBIrvAyM=; b=YIAAQLBj9iYY6iwFHYRTZcBttEWKnTBxjfnFD103OJPsUuICn87PfllxILYbuD1312 RiEhvwT1KtCY0ew5oACDhYUuF+P0P3AjWckGZu8GUe0VuDs3FfSSM0SIESFfm6aIQN+4 aZ/0SuyR97HMmJuZNqwYmNMgVvNTg2Y8krePM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8QCzQXFLeVu6TI+dRpo9YBij4lgvPMU+3p4BBIrvAyM=; b=sdQoWk4lpADJMJ9SqCqUhLpR2QcgsNtmcQdoYt1eD2XMEsNIMfoQ7VxF/Eg+ZbeK8R 3/THryuUyboC9kO30jTqYfUuKLaWK8UpdnBnkVwIAcFVGir7dTMmgECq+Fskr5FrkJ12 NU2/5TcXbta9NXc85ETJljmgejrCcn4Uk4HkRWuWdhPQ8G6oFyvC4m0zzjNfkvZfjI6t kg3RMRkzCXZB4AdqjC2CJOVo+81pnEr14KHqILnGKkmaN8khpVsTVsEHyX8LOPEJy5qZ ijj+ayXDq/dLVrFU59huAXp1dWqaKHaViGixwj+AAfX2SLxmj8Ux7ErXBgiszJMK4Yti c4oQ==
X-Gm-Message-State: AHPjjUgOL5rlOwz/RlQKNyVbu2FR9+Vw6hA1oo1q9h4NBjWK1/Ai04HK 8Cju+WA7IzfKLG1OFxT0Vaxm+UOb1wM1KxCaUyjU
X-Google-Smtp-Source: AOwi7QCdi9CtlgAQfbhNIFxVz5VOyW5Ry2VKBEGbpSJqBpZGvAtxjoWsT8aWDeWiC3uwmZ0nt7GPJ8B+E4fKKjvldRI=
X-Received: by 10.107.162.145 with SMTP id l139mr655271ioe.193.1505430247820; Thu, 14 Sep 2017 16:04:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAAZdMaeHTBw-2ZTzO5hzD==hywBBeEcOaofPm2wuNHy7LQxLpA@mail.gmail.com> <CAH8yC8m=t4PMvrCo-68A4R7kft+CCtLBscEp_D3Z_Mn5C2Y1bA@mail.gmail.com>
In-Reply-To: <CAH8yC8m=t4PMvrCo-68A4R7kft+CCtLBscEp_D3Z_Mn5C2Y1bA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 14 Sep 2017 23:03:57 +0000
Message-ID: <CAF8qwaAhNYZrA1a19Tk5C6cUQo+vUaRBUKUcE59GU=Q_FzVkrA@mail.gmail.com>
To: noloader@gmail.com, Victor Vasiliev <vasilvv@google.com>
Cc: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140feaa287c3b05592e4b3f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2eivqY2hXq1ph6G1_cuOUK9vEQY>
Subject: Re: [TLS] Removing restriction on cross-domain resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 23:04:12 -0000
On Thu, Sep 14, 2017 at 6:42 PM Jeffrey Walton <noloader@gmail.com> wrote: > To play devil's advocate, will the TLS stack need to keep a copy of > the certificate or authorized origins (an origin group?) for future > connections? Implementations that don't retain enough information for it can always just not offer sessions across domains. What resumption patterns to support and what state to retain to support those is an implementation decision. But stacks I've seen already retain this anyway. It's common to have APIs that retrieve the peer certificate and for resumption to be more-or-less transparent. That combination implies sessions must retain the peer certificate to resurface when asked. David
- [TLS] Removing restriction on cross-domain resump… Victor Vasiliev
- Re: [TLS] Removing restriction on cross-domain re… Ryan Hamilton
- Re: [TLS] Removing restriction on cross-domain re… Jeffrey Walton
- Re: [TLS] Removing restriction on cross-domain re… David Benjamin
- Re: [TLS] Removing restriction on cross-domain re… Martin Thomson
- Re: [TLS] Removing restriction on cross-domain re… Jeffrey Walton