Re: [TLS] draft-ietf-tls-tls13-21 posted
Eric Rescorla <ekr@rtfm.com> Tue, 04 July 2017 01:39 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1E86131614 for <tls@ietfa.amsl.com>; Mon, 3 Jul 2017 18:39:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urI6Eurw9qle for <tls@ietfa.amsl.com>; Mon, 3 Jul 2017 18:39:14 -0700 (PDT)
Received: from mail-yb0-x22e.google.com (mail-yb0-x22e.google.com [IPv6:2607:f8b0:4002:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1854C1316A4 for <tls@ietf.org>; Mon, 3 Jul 2017 18:39:14 -0700 (PDT)
Received: by mail-yb0-x22e.google.com with SMTP id f194so575808yba.3 for <tls@ietf.org>; Mon, 03 Jul 2017 18:39:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=lXHcSn+9sI/pkrjN7kEiV7lC7d3yQFtwAWh0UyN6Ykg=; b=bjYg+y6rW1cQ/Ekw+yMgWvI5co9iQz4EG7Wxr2H7SLuBpzXSbTqKytD/2hSjFobhhp cNKqOsfyoVIo2TThi0+KoLk+J3RGfXnqSB+9epkt5M+Oc4TkasHtclVSz/9zdjomN5wF wmE903T91zUOFJ9IJpwMj6Z4Tbl4AZFQDOsMo0kkyQbeklX0udNsW3tWOj1v89FNtUpW 6d2fmpQpvGnCYGcq3OxyYXQzrNVLjDGtxCMrbzkEbUS1a6y8cGfdvaj0r0YdS58sUwak a08dxj2OYhKwA47ejML+odGMhqi4vR/yKUdOUK13QtqtBcyqWoBKtIDGScslftYQXZcW y6ZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=lXHcSn+9sI/pkrjN7kEiV7lC7d3yQFtwAWh0UyN6Ykg=; b=f9fPQHi8g1NiJuXB60sWANXS9hCh6CocMhfM8VW8TKxykhisk8mqT2h0lAkgSeBsKy 5JKZccEj/A0PwFg0RhZtSmTY0vnQx1e627NJKccW/ydDGjIDH5M1ezxb0QUWArYBruni WSvbd7I21Nvzqsbyq8OA0a3yeocmAbVMk857JjOhsCaJzLKWcc5fQpaCz8g9cY/h4hzs q/bdnbWvWVMmtzI0TD8JjAA64erNkZ3zeRHPXZQZVZ5DB4By367koRd1kYFLfr4lDb50 57yRUda0QS9w0yQJolwGY4z0XCYxMUAo5xo32vg3gGC1zswfEMQkIIT6j8uiDIqlpOoR JjMA==
X-Gm-Message-State: AKS2vOyaQCYIx9+5Sx1GynsYHzgsUqb0NvdmD8Z6xAAz9k8BaYbC3kOT bp/9UAOCpySk1AJWGsZdv2qeAjDp+E60vf3v9w==
X-Received: by 10.37.162.104 with SMTP id b95mr30143525ybi.29.1499132352982; Mon, 03 Jul 2017 18:39:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.9 with HTTP; Mon, 3 Jul 2017 18:38:32 -0700 (PDT)
In-Reply-To: <CABcZeBN7vJXZJadNzPR5RbWwZpgM+NgjW7FvuJW+Q5cNUu6_FQ@mail.gmail.com>
References: <CABcZeBN7vJXZJadNzPR5RbWwZpgM+NgjW7FvuJW+Q5cNUu6_FQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 03 Jul 2017 18:38:32 -0700
Message-ID: <CABcZeBNpoukQdDHa=jUkZk=3Dp=UKxCdqiGYvGyU4oOsqH039g@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c19fcf85f11f4055373f33b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/39X4677vmki6pWGhW3hic7KiinY>
Subject: Re: [TLS] draft-ietf-tls-tls13-21 posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2017 01:39:16 -0000
One more thing I wanted to note. The section about when you could receive
prior to Finished was a bit confused. I rewrote it as follows.
Once a side has sent its Finished message and received and validated
the Finished message from its peer, it may begin to send and receive
application data over the connection. There are two settings in
which it is permitted to send data prior to receiving the peer's
Finished:
1. Clients ending 0-RTT data as described in Section 4.2.9.
2. Servers MAY send data after sending their first flight, but
because the handshake is not yet complete, they have no assurance
of either the peer's identity or of it's liveness (i.e., the
ClientHello might have been replayed).
This is not intended to be a normative change but just to capture the
current
state, so if people think I messed it up, or have proposed better wording,
please send PRs
-Ekr
On Mon, Jul 3, 2017 at 5:01 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> Hi folks,
>
> I just published draft-21, which incorporates the discussions we've
> been having about 0-RTT replay. This lead to two changes:
>
> - Modifying the key derivation for PSKs so that each session ticket
> is associated with a distinct PSK.
>
> - Adding a very extensive description of 0-RTT nti-replay and
> a SHOULD-level recommendation that servers use some anti-
> replay mechanism that doesn't allow replay within a given
> zone.
>
> In addition, I have followed Richard Barnes's lead and added
> key transition events to the state machine. This also clarified
> that clients should send in-handshake alerts encrypted if they
> can.
>
> I wanted to call the WG's attention to one issue:
>
> Currently the extension table says that server_certificate_type goes
> in the Certificate message, whereas client_certificate_type does
> not. My reasoning for the latter is that the extensions are attached
> to individual certificate elements, so it was non-sensical to have a
> situation where you might have cert A be X.509 and cert B be PGP. I
> think we should just change server_certificate_type to go in EE, and
> then maybe in future if people want something cleverer they can add it
> then. I didn't want to do this without WG discussion, but I think we
> should and if people don't object I'll do it in a -22.
>
> This version also addresses Kathleen's AD Review.
>
> Other comments welcome.
> -Ekr
>
>
> [0] Note that this is a bit tricky when you are also streaming
> Early Data.
>
>
>
>
>
>
>
- [TLS] draft-ietf-tls-tls13-21 posted Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21 posted Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21 posted Martin Thomson
- Re: [TLS] draft-ietf-tls-tls13-21 posted Matt Caswell
- Re: [TLS] draft-ietf-tls-tls13-21 posted Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-tls13-21 posted Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-tls13-21 posted Matt Caswell
- Re: [TLS] draft-ietf-tls-tls13-21 posted Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21 posted Martin Thomson
- Re: [TLS] draft-ietf-tls-tls13-21 posted Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21 posted Kazu Yamamoto ( 山本和彦 )
- Re: [TLS] draft-ietf-tls-tls13-21 posted Martin Thomson
- Re: [TLS] draft-ietf-tls-tls13-21 posted Kazu Yamamoto ( 山本和彦 )
- Re: [TLS] draft-ietf-tls-tls13-21 posted Martin Thomson
- Re: [TLS] draft-ietf-tls-tls13-21 posted Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21 posted Matt Caswell
- Re: [TLS] draft-ietf-tls-tls13-21 posted Matt Caswell
- Re: [TLS] draft-ietf-tls-tls13-21 posted Benjamin Kaduk