Re: [TLS] 0-RTT and Anti-Replay

Nico Williams <> Mon, 23 March 2015 17:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 64F431ACE59 for <>; Mon, 23 Mar 2015 10:16:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.366
X-Spam-Status: No, score=-1.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ATzjpGuWTZGz for <>; Mon, 23 Mar 2015 10:16:35 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A76721ACE58 for <>; Mon, 23 Mar 2015 10:16:35 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 867CF2005E61E; Mon, 23 Mar 2015 10:16:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s=; bh=VZ4VYGHzqSuGabHBSjMJRKCGgQk=; b=mCej2MzF5wX yLss0iJ/Q/8aQQhJL24StOqYR0LLNvAGsGOaRvkvb+yePCsUb9mvRSVFuypLo8eI 0hNy5F8IKg5DU6u7jCHB3E2wL56B5hE35lihfafDSQDOgsat9kXLHCtQ8LMF7keU NxU+oQFPMsybM3Tnz5TMCXPPGZw/3f6w=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id A03152005E61C; Mon, 23 Mar 2015 10:16:34 -0700 (PDT)
Date: Mon, 23 Mar 2015 12:15:32 -0500
From: Nico Williams <>
To: Colm =?iso-8859-1?Q?MacC=E1rthaigh?= <>
Message-ID: <20150323171532.GO21267@localhost>
References: <> <> <> <20150323083308.GL21267@localhost> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] 0-RTT and Anti-Replay
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Mar 2015 17:16:36 -0000

On Mon, Mar 23, 2015 at 09:44:16AM -0700, Colm MacCárthaigh wrote:
> On Mon, Mar 23, 2015 at 9:22 AM, Viktor Dukhovni <>; wrote:
> > Deliberately so, for people who know what they are doing, to support
> > latency sensitive idempotent requests that don't need request replay
> > protection.
> Should using TLS securely rely on that level of expertise? it is also
> an incredible temptation to have the possibility of optimistic
> execution, and just not pay any attention to the idempotent (or
> reliability) issues.

In some sense this is unavoidable.

Consider channel binding.

In the SASL/GS2 framework we use the GSS channel binding data input to
deliver data beyond just proper channel binding data, but the data so
delivered is negotiation data.  (Integrity protection of that data is
delivered eventually.)

Now, TLS may not have a proper channel binding data _input_, but
developers, I'm sure, could marshall something.

Imagine a StartTLS protocol where the client sends a request (launch
missiles) and a request/offer to upgrade to TLS, with subsequent
integrity protection of the "0-RTT" data from the first request: if the
server has acted on the 0-RTT data by then, it's too late.

Therefore it seems that the issue is somewhat unavoidable even if we
exclude a 0-RTT mode in TLS, and so we should describe the associated
security considerations.