Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 01 February 2020 02:07 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7390120045 for <tls@ietfa.amsl.com>; Fri, 31 Jan 2020 18:07:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ePJ9SJ8OyJgS for <tls@ietfa.amsl.com>; Fri, 31 Jan 2020 18:06:59 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5E8E120024 for <tls@ietf.org>; Fri, 31 Jan 2020 18:06:59 -0800 (PST)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 7778A36C38 for <tls@ietf.org>; Fri, 31 Jan 2020 21:06:58 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <5E66E815-E649-4EE5-9780-AA2158F81744@apple.com>
Date: Fri, 31 Jan 2020 21:06:57 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: IETF TLS WG <tls@ietf.org>
Message-Id: <B3C6BBC1-EBCA-4A9C-A1F8-2849E39089E2@dukhovni.org>
References: <CAN2QdAH7t4fPgBfBSO7Ni1As2bVB9QvCw1s9j0ggqvTRUATE8A@mail.gmail.com> <20200123021455.GA73491@straasha.imrryr.org> <87427017-551e-4633-a0d3-75f378879aa9@redhat.com> <20200123124055.GF73491@straasha.imrryr.org> <CACsn0cngxBQTB+Pfw6t_+qsSFb0Kf8mV1U1J1UTsPJiUk=vg0w@mail.gmail.com> <20200123193250.GD12073@localhost> <20200123210151.GG73491@straasha.imrryr.org> <5F5F670C-A0BD-4F38-BEFF-192C171EDAC1@apple.com> <20200131235533.GA18021@localhost> <CAChr6Sz6PEgQUQg8dB9Ym0z5_iRjmZE5g1hUCCgEOsA-7A=P-w@mail.gmail.com> <20200201011115.GB18021@localhost> <CAChr6SywucrTUsAeN6Aw26ufmhcB8txAmFVNGnUaeR3gG653VQ@mail.gmail.com> <4E7DC6E9-A04E-4016-A12A-CFC723E18219@dukhovni.org> <5E66E815-E649-4EE5-9780-AA2158F81744@apple.com>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/455VEg5VwMwcc03aI-WE99bptxw>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Feb 2020 02:07:03 -0000

> On Jan 31, 2020, at 8:53 PM, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote:
> 
> Thus, the working group can progress with the tightly-scoped document that it has consensus on, and leave other use cases to future documents.

Such a deferral may be desirable and viable in cases where the
features are sufficiently orthogonal.  But here the extension
specifies the number of requested tickets, and so any separate
document would have to change the semantics of this extension
in order to get conditional issuance of tickets.

It makes no sense to split the negotiation of the ticket number
over multiple documents.  The added use-case is effectively
*free* to ignore by implementations that never want reuse,
just treat zero as 1, and be done.

If this were a major burdensome feature, I'd be sympathetic to
your desire to carve it out to a separate discussion.  But here,
I'm pretty consensus will be reached soon after we stop focusing
on the legitimacy or timing of the proposal and focus on its
substance in a final wrap-up consensus call.

I may end up in the rough, but let's at least see where the chips
fall.

The security considerations can continue to discourage reuse where
traffic analysis is a concern.  It is NOT a concern in MTA-to-MTA
traffic.  If my proposal moves forward, I'll gladly contribute
some text to the security considerations discouraging wanton
application of ticket reuse.  It should be enabled only where
appropriate.

Note that I'd like to use this extension to conditionally enable
non-reuse where presently re-use is unconditional.  Otherwise,
Postfix will just always go with reuse.

-- 
	Viktor.