Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Hubert Kario <> Fri, 15 November 2019 13:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5FD6112086C for <>; Fri, 15 Nov 2019 05:43:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ySnbl20O3U4j for <>; Fri, 15 Nov 2019 05:43:26 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3851812086E for <>; Fri, 15 Nov 2019 05:43:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1573825404; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aSa3CudAgbCS7b/1B2QEEXuT94PwbHWmJj80i4CJmzU=; b=SXPJKyfLnx1WFFhWiB4PR3yJgAqQ/uM/KS/SQSRY+qdXzIVrc/3dncSMIBATr1cXa3VH6L 3s9Fpq9lgCJyzbXkliEeHSzpEC6xR+YChIzMnNP+0LY33ezj3EBwDMekkNhZyhzhTAV8+9 rt+TRl8f/OgmhJ6XQIEqkQZiSOAefF4=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-431-MqFMVz9mNHeMpGtpMWfVaA-1; Fri, 15 Nov 2019 08:43:21 -0500
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6021C1852E22; Fri, 15 Nov 2019 13:43:20 +0000 (UTC)
Received: from localhost ( []) by (Postfix) with ESMTPS id 9FBA69302; Fri, 15 Nov 2019 13:43:17 +0000 (UTC)
From: Hubert Kario <>
To: Daniel Migault <>
Cc: tls <>
Date: Fri, 15 Nov 2019 14:43:15 +0100
MIME-Version: 1.0
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Organization: Red Hat
User-Agent: Trojita/0.7; Qt/5.12.5; xcb; Linux; Fedora release 30 (Thirty)
X-Scanned-By: MIMEDefang 2.84 on
X-MC-Unique: MqFMVz9mNHeMpGtpMWfVaA-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Nov 2019 13:43:30 -0000

On Friday, 15 November 2019 13:00:14 CET, Daniel Migault wrote:
> Hi  Hubert,
> On Thu, Nov 14, 2019 at 12:33 PM Hubert Kario <> wrote:
>> On Thursday, 14 November 2019 18:18:52 CET, Daniel Migault wrote:
>>> Hi Hubert,

>>> I understand the reasons for SHOULD. At least this should be documented.
>>> To
>>> address your first point, of course the specification applies to the
>>> server
>>> that support the extension.
>>> Your second concern is solved by limiting the
>>> NTS of KEX.
>> by "KEX" you mean handshake? but New Session Ticket messages are not sent
>> during handshake, they are sent after handshake is finished
> yes. I would consider the NST as part of the handshake even for those sent
> after the post-handshake authentication.

that would make tickets useless for sessions that use PHA

> I agree better terms may be used.
> The rekey aspect seems to me out of the handshake.

rekey also don't impact the keys used for derivation of session ticket

>> so how exactly you want to decide when server stopped sending NSTs after
>> handshake finished?
> That the spec does not mention it does not mean this will not be defined.
> Instead it means each implementer will have its own logic, definitions and
> outputs. The same reasoning occurs to the complexity argument,not
> specifying it does not reduce the complexity but let it to the
> implementation with all unexpected corner cases.

my point is that there is no good way to define it, if you want the count 
to be
limited, you need provide a good way to do that

I say that there isn't one, so defining it is futile

>>> The third point is addressed by the minimum of the (count,
>>> server_nbr). Note that I see count as a maximum. Overall I do not think
>>> this would add much complexity.  The only complexity I see is when a
>> server
>>> sends NTS at different time in the KEX.
>> again, and what if the server misbehaves?
> Again, it would be a bug but the current spec is very permissive, at least
> in my opinion. I do not believe that not specifying the expected behaviors
> will prevent misbehaviors to happen, it, instead simply legitimates them.

a MUST requires strict definition, which we can't provide, a SHOULD is 
in the draft

Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic