[TLS] draft-ietf-tls-ticketrequests-05

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 01 July 2020 16:52 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C264E3A133D for <tls@ietfa.amsl.com>; Wed, 1 Jul 2020 09:52:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=x51n8xVS; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=x51n8xVS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JTpJGQ6ryorD for <tls@ietfa.amsl.com>; Wed, 1 Jul 2020 09:52:27 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00074.outbound.protection.outlook.com [40.107.0.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79CA53A133F for <tls@ietf.org>; Wed, 1 Jul 2020 09:52:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qK4b+uGSLloDT5ahIgPxLK+LFuZs5eCtJoy2hXdUYyM=; b=x51n8xVSyN1Sd4hRHdjAURoC445HoTxi95HLAcehHtPxS/PFt8mMEKdyPjlifd6EV4VHVET4eNPudPiqE+rT2MpVy5n5/oFueqbsJU362956dHnQSG3M8X9eYQWQc+qWhvJ8h0ZonO5QsDp8/HxBLe9bRewAL9cTSUJ7j1vmrk8=
Received: from AM6PR05CA0034.eurprd05.prod.outlook.com (2603:10a6:20b:2e::47) by AM5PR0802MB2577.eurprd08.prod.outlook.com (2603:10a6:203:a1::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.21; Wed, 1 Jul 2020 16:52:25 +0000
Received: from AM5EUR03FT050.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:2e:cafe::de) by AM6PR05CA0034.outlook.office365.com (2603:10a6:20b:2e::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.20 via Frontend Transport; Wed, 1 Jul 2020 16:52:24 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT050.mail.protection.outlook.com (10.152.17.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.20 via Frontend Transport; Wed, 1 Jul 2020 16:52:24 +0000
Received: ("Tessian outbound 4e683f4039d5:v62"); Wed, 01 Jul 2020 16:52:24 +0000
X-CR-MTA-TID: 64aa7808
Received: from 54dce5f09b76.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id D51D2013-4248-4532-AEBE-781BC0551973.1; Wed, 01 Jul 2020 16:52:19 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 54dce5f09b76.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 01 Jul 2020 16:52:19 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FJ7+IuiZ0gaz/COk7sU5Yq7Fr+OlYcTWLWIZcPkjmvClHke09GEhPA/TaNJkMVGsPwMMaf3uqHvhc1EBBdSkKjDSVO8+4NjLe6EmI6/MkJx/0HYAH0pI3zVnTZxaObQvQpbtGfyX6+/oPJqrIDkkRgZ47NJZeO9fk7m1bzeL0Unz2SoX74LakbOl2jrA5/Iq3+jWlfJL95AZTVqtxFDesfLQuw4Xn21vVwHOjbYNN0PcvDSmrEjZFPbvphpblw+XiPh+M9sksoE3uLN+YiAQafOGXKPWwgkIQDQVxheEH714ZqjIpEDaCAn6LgI1kXvURlfnmoyg8BvHcYF5tNHvmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qK4b+uGSLloDT5ahIgPxLK+LFuZs5eCtJoy2hXdUYyM=; b=QzQeFEp2rMx7obUYIWaMkYN+rq/0MQ9oborx2rtw0A21uJznPCSsOfLUfKAXN/Rqtw3oGL0QTUPSL9itgd01YMFnArPAA901S/a1CI58lm7/PvrDKF1ybNesGjL2OPZOFvdUfcJga0aQyNJK0V3hBWMLJ/9o4qDyF+sALkPUubHYGtpQrmiOFysh3Fl1pfmQrFsdIF8jjLxQaITUMfVmufuFn89sTqey1jfbBet8qBncvCzL0Xlw9t4i620K3+sJVY2asTvEbUgqpx8CxQxhLK+3vWaJHx94iKr3C6tZe3VqZPgLvfapCdSuTZR0ZIBIL/5wiLDGyaNGGQXoWBbNmg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qK4b+uGSLloDT5ahIgPxLK+LFuZs5eCtJoy2hXdUYyM=; b=x51n8xVSyN1Sd4hRHdjAURoC445HoTxi95HLAcehHtPxS/PFt8mMEKdyPjlifd6EV4VHVET4eNPudPiqE+rT2MpVy5n5/oFueqbsJU362956dHnQSG3M8X9eYQWQc+qWhvJ8h0ZonO5QsDp8/HxBLe9bRewAL9cTSUJ7j1vmrk8=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB3396.eurprd08.prod.outlook.com (2603:10a6:208:dd::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.25; Wed, 1 Jul 2020 16:52:18 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae%7]) with mapi id 15.20.3131.030; Wed, 1 Jul 2020 16:52:18 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: draft-ietf-tls-ticketrequests-05
Thread-Index: AdZPwyuzW8DO++UhTr2C4GnWMXxBhg==
Date: Wed, 1 Jul 2020 16:52:18 +0000
Message-ID: <AM0PR08MB3716F0A25D726E5F57CA6525FA6C0@AM0PR08MB3716.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 237ad8e8-14e2-48b9-9719-27e14faeb942.0
x-checkrecipientchecked: true
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.121.249]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 261ec202-9797-4f3f-e4aa-08d81ddf2171
x-ms-traffictypediagnostic: AM0PR08MB3396:|AM5PR0802MB2577:
X-Microsoft-Antispam-PRVS: <AM5PR0802MB2577342DD79E6A841AEF4FDBFA6C0@AM5PR0802MB2577.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:10000;
x-forefront-prvs: 04519BA941
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: n7pEEjFBES3xKQXsV02xY00Ccudx5rahWKoLIBu9hSf7nFLOYt3wpfGkpfEBMPDJjYUcqsNTEHxs6qDb+cZcamH3LKWCsvvMoJ+xcEXFDy4HYN6muBZBHIhyhK+u/a1h0c53yNBuRuyGTb4Ub+CmWtbiZ3zoHUl62MxtXg/NtCrM/OQY8Eoc2WcWpMpivzW0nsQ7tLHLHt8cOZBa5GLKCKvkE32IF4fbRvw1CCOIq6B/LmWLv+lPSLAbkoT1WKQSDqKQFzbmg0k4WBSdvekX8+k31gDn8URRBSuxWCYT7xSLa3OkfNh5BK9L8tTIZ8PbxD526eFxk20JHjFg/r5Tf00P+MFH5NyD8kDj9eZPbDTd2UuyJncH2EnlYu2Hnevx
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(39860400002)(136003)(346002)(376002)(366004)(71200400001)(66556008)(76116006)(66476007)(33656002)(186003)(55016002)(83380400001)(26005)(66946007)(2906002)(9686003)(66446008)(64756008)(316002)(86362001)(478600001)(8676002)(6506007)(8936002)(7696005)(5660300002)(52536014)(491001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: wxNpMER0zRc/JhAC8+uMqcV5WzXsFqAFqXKtIirbFTCAwJ2NHg9v0fl7aOhI+gu5bMp7ensBE7mZsixIa52IuSXk0ywE5K9cPoLbQI14yiyaAMUUa/0ovgIbOIi+TnKZD20/BnrDozYyXzUSLsUYqzwcVlN/k4l56omWoTFvo5LyR7cDTh0yDMf0ujRLvr3YlHhhF0SpzWHoOsMKHWuel4qHLl1RwTpOFfvBg8h4Ip+K54mR4a2VlNBK4c3mJXFds/zIaHwsX8FFeQJtmrgsHjDtqbq8BpwaWSR0HS508cPk0tlcE3K0AiH1g9QMorpUWJh7OnPL7of5G4+SD/2zBtvQC6GweSXE3NlvR16psHHeSQWYV0W2Jf9ucWR/sLWWOX9jBZb+6BAAPfEPi9NJJX5gnkdP6RyahD57RP6tcvmETO7d6TNcN/Ddz1yLlqq+g3SbFCc5kNl3ATztDgg0saH4bep52K7EIE0lZxDsjqiTbvjVF17koWJhIXM/t0ax
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3396
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT050.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(396003)(136003)(39860400002)(46966005)(5660300002)(70206006)(47076004)(55016002)(83380400001)(6506007)(8676002)(86362001)(8936002)(82310400002)(9686003)(356005)(7696005)(33656002)(478600001)(336012)(52536014)(70586007)(2906002)(81166007)(82740400003)(186003)(26005)(316002)(36906005)(491001); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 00d12d16-0d78-440e-2dd1-08d81ddf1dae
X-Forefront-PRVS: 04519BA941
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +O6Ljz8CTUG0o9Pask1nth8sa325j26//dOhSrQpYgWSQrKb/7zzbjCniRufnz60si0AWtVrUCN7zQJyv60mCkCmePY+oIMKPzoJxLubV37EA3imw7hy4vLKD1EspP9TH2+qx8qK9QHNUN3sz6A6pZAKIHZoBqhpvuy5qOMOemHsELpU5Y/K5DRabNgyRrD9SDYOB0Q9j8+nkmE5cbrX5BTDl0FRKuID2Mj+Ihv+yiDOfc1PDtrqTI93NO25PGE12Nlj5rPIVfQj9IPRzbf8YGxlzJvXdn60NFeHfYBj7N0HVeNCUMBHL8s6d1JVLLfECTVzh7VoJrMIAMs4fi1f6K7IMNn/7IIyoq3KFByrXqRShyxkMeC5ReO2ACDWZJyYofWon6v5vyZ+a0VUHWOaa4HAbQUhGWkiWXA5eW1rBdk=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jul 2020 16:52:24.8360 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 261ec202-9797-4f3f-e4aa-08d81ddf2171
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT050.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0802MB2577
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GQlef7xeDmVlBOopKQ180KI7NZ0>
Subject: [TLS] draft-ietf-tls-ticketrequests-05
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 16:52:30 -0000

Hi Tommy, Hi David, Hi Chris,

I read through the draft and have a few questions.

1) Is it really necessary for the client to use two values to differentiate the tickets it wants with a new session and with resumption. It feels a bit over-designed. I would just have one value and that alone would be super useful already.

2) This sentence confuses me:
"
   Servers SHOULD NOT send more tickets than requested for the handshake
   type selected by the server (resumption or full handshake).
   Moreover, servers SHOULD place a limit on the number of tickets they
   are willing to send, whether for full handshakes or resumptions, to
   save resources.
"

Shouldn't the sentence say:
"
   Servers SHOULD NOT send more tickets than requested for the handshake
   type (resumption or full handshake) indicated by the client.
"

Even then, I believe the sentence should actually say MUST NOT instead of SHOULD NOT. If the client is already taking the effort to indicate that it does not want more than a certain number of tickets then it might have a reason. I am thinking about the case where the client indicates that it does not want any tickets then it would be strange for the server expressing support for the extension and still send tickets.

3) Does the server really need to send the number of tickets it is planning to send back to the client? In the draft you already indicate that the server may send fewer tickets than requested by the client. So, the number expressed by the client is an upper limit anyway.

4) I believe it would make sense to define a ticket flag for the case where the client does not want to receive any tickets.

5) If a client sends the ClientTicketRequest extension during the full handshake is there an expectation that it sends it again in the resumption exchange? Would you assume that the server memorizes how many tickets the client wanted across the resumption handshakes? For example, in the full handshake I use the extension and indicate that I want 5 tickets. I get two tickets from the server. Then, I run a resumption handshake without transmitting the extension. Is the server expected to remember to still send 3 more tickets till the quota is exhausted?

6) The topic of when to send the tickets is something you mention in the document and it is indeed an issue. Have you thought about allowing the client to signal to the server when to send the tickets? Even making a distinction between "send me all tickets in a batch" and "send one after the other with some reasonable time in between" would be helpful.

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.