Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
Hubert Kario <hkario@redhat.com> Fri, 15 November 2019 13:43 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 5FD6112086C
for <tls@ietfa.amsl.com>; Fri, 15 Nov 2019 05:43:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ySnbl20O3U4j for <tls@ietfa.amsl.com>;
Fri, 15 Nov 2019 05:43:26 -0800 (PST)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
[207.211.31.120])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 3851812086E
for <tls@ietf.org>; Fri, 15 Nov 2019 05:43:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1573825404;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=aSa3CudAgbCS7b/1B2QEEXuT94PwbHWmJj80i4CJmzU=;
b=SXPJKyfLnx1WFFhWiB4PR3yJgAqQ/uM/KS/SQSRY+qdXzIVrc/3dncSMIBATr1cXa3VH6L
3s9Fpq9lgCJyzbXkliEeHSzpEC6xR+YChIzMnNP+0LY33ezj3EBwDMekkNhZyhzhTAV8+9
rt+TRl8f/OgmhJ6XQIEqkQZiSOAefF4=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-431-MqFMVz9mNHeMpGtpMWfVaA-1; Fri, 15 Nov 2019 08:43:21 -0500
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
[10.5.11.23])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6021C1852E22;
Fri, 15 Nov 2019 13:43:20 +0000 (UTC)
Received: from localhost (ovpn-200-40.brq.redhat.com [10.40.200.40])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 9FBA69302;
Fri, 15 Nov 2019 13:43:17 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Daniel Migault <daniel.migault@ericsson.com>
Cc: tls <tls@ietf.org>
Date: Fri, 15 Nov 2019 14:43:15 +0100
MIME-Version: 1.0
Message-ID: <825db7ba-7b2c-4a4e-ab93-c7792b446463@redhat.com>
In-Reply-To: <CADZyTkmRP-xq5NjH1p914HFX3wpiYRkz3rr5yO99x87Q-N+-hg@mail.gmail.com>
References: <2FB1D8AD-2C22-4A09-B7AF-0EFD6F0DBACA@sn3rd.com>
<0469b84c-3009-427a-99ca-e7f6817f0b6c@www.fastmail.com>
<CADZyTknhZDi2JD5WRbKEOGDafHjhTkUm6QhOhv1kkA9BT1nekw@mail.gmail.com>
<37ff9a64-2749-4558-a675-5b251f06eb3a@www.fastmail.com>
<CADZyTkkS-CipB00+JMRrjNZqXhyCTdBhV11oydCNCCeG_M6ORg@mail.gmail.com>
<6fc786f3-9fbe-4f8e-92d3-cd9ceb7f3703@redhat.com>
<CADZyTkny6jpk=0gg-=yT3C3zY6N88a6t1RKjfKN+bNU6YbLshw@mail.gmail.com>
<07d49b6f-e79d-4058-878f-7a57d5b6f241@redhat.com>
<CADZyTkmRP-xq5NjH1p914HFX3wpiYRkz3rr5yO99x87Q-N+-hg@mail.gmail.com>
Organization: Red Hat
User-Agent: Trojita/0.7; Qt/5.12.5; xcb; Linux; Fedora release 30 (Thirty)
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-MC-Unique: MqFMVz9mNHeMpGtpMWfVaA-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6IuZWe142uy3yoyZuF5YqK0vdkY>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Nov 2019 13:43:30 -0000
On Friday, 15 November 2019 13:00:14 CET, Daniel Migault wrote: > Hi Hubert, > > On Thu, Nov 14, 2019 at 12:33 PM Hubert Kario <hkario@redhat.com> wrote: > >> On Thursday, 14 November 2019 18:18:52 CET, Daniel Migault wrote: >>> Hi Hubert, >>> I understand the reasons for SHOULD. At least this should be documented. >>> To >>> address your first point, of course the specification applies to the >>> server >>> that support the extension. >> >>> Your second concern is solved by limiting the >>> NTS of KEX. >> >> by "KEX" you mean handshake? but New Session Ticket messages are not sent >> during handshake, they are sent after handshake is finished > > yes. I would consider the NST as part of the handshake even for those sent > after the post-handshake authentication. that would make tickets useless for sessions that use PHA > I agree better terms may be used. > The rekey aspect seems to me out of the handshake. rekey also don't impact the keys used for derivation of session ticket secrets... >> so how exactly you want to decide when server stopped sending NSTs after >> handshake finished? >> > > That the spec does not mention it does not mean this will not be defined. > Instead it means each implementer will have its own logic, definitions and > outputs. The same reasoning occurs to the complexity argument,not > specifying it does not reduce the complexity but let it to the > implementation with all unexpected corner cases. my point is that there is no good way to define it, if you want the count to be limited, you need provide a good way to do that I say that there isn't one, so defining it is futile >>> The third point is addressed by the minimum of the (count, >>> server_nbr). Note that I see count as a maximum. Overall I do not think >>> this would add much complexity. The only complexity I see is when a >> server >>> sends NTS at different time in the KEX. >> >> again, and what if the server misbehaves? >> > > Again, it would be a bug but the current spec is very permissive, at least > in my opinion. I do not believe that not specifying the expected behaviors > will prevent misbehaviors to happen, it, instead simply legitimates them. a MUST requires strict definition, which we can't provide, a SHOULD is already in the draft -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- [TLS] WGLC for draft-ietf-tls-ticketrequests Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Jeremy Harris
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Bill Frantz
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Ben Schwartz
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Ben Schwartz
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Jeremy Harris
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni