[TLS] Comments on EndOfEarlyData

Britta Hale <britta.hale@ntnu.no> Tue, 16 May 2017 15:34 UTC

Return-Path: <britta.hale@ntnu.no>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id BAE19129C06 for <tls@ietfa.amsl.com>; Tue, 16 May 2017 08:34:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.503
X-Spam-Status: No, score=-1.503 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NUxLTbBVuxUy for <tls@ietfa.amsl.com>; Tue, 16 May 2017 08:34:53 -0700 (PDT)
Received: from samson.item.ntnu.no (samson.item.ntnu.no []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F7B6128B90 for <tls@ietf.org>; Tue, 16 May 2017 08:30:54 -0700 (PDT)
Received: from localhost (localhost []) by samson.item.ntnu.no (Postfix) with ESMTP id DF6A7480089 for <tls@ietf.org>; Tue, 16 May 2017 17:30:52 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at item.ntnu.no
Received: from samson.item.ntnu.no ([]) by localhost (samson.item.ntnu.no []) (amavisd-new, port 10024) with ESMTP id XysAoeEp_D7w for <tls@ietf.org>; Tue, 16 May 2017 17:30:52 +0200 (CEST)
Received: from [] (84-52-238.131.3p.ntebredband.no []) by samson.item.ntnu.no (Postfix) with ESMTPSA id 5C7B4480087 for <tls@ietf.org>; Tue, 16 May 2017 17:30:52 +0200 (CEST)
To: tls@ietf.org
From: Britta Hale <britta.hale@ntnu.no>
Message-ID: <66025639-5ceb-021a-61c4-60620c402a6c@ntnu.no>
Date: Tue, 16 May 2017 17:30:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/77GN4qwrwfL0eb9th7a2E1gGL94>
Subject: [TLS] Comments on EndOfEarlyData
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 15:46:42 -0000

On the Sunday 30/05 TLS:DIV workshop there was mention of the
EndOfEarlyData message and its status as a handshake message or alert

The main argument mentioned for making EndOfEarlyData a handshake
message is that alert messages usually signal "abortive closure of the
connection" (e.g. fatal alerts). Having an EndOfEarlyData alert could be
misleading (i.e. possibly implying that a session is ending instead of

However, this intuition is incorrect. Alerts signal the end-of-use of
keys, not the prohibition of further communication under other keys.
Keys should be deleted and no further data should be sent on the
connection. For TLS 1.2 (7.2.1) it is even made explicitly clear that
session resumption is possible after a close_notify send/receipt.

It seems natural then to make EndOfEarlyData an alert message,
signifying end of 0-RTT data. Specifically, the 0-RTT handshake is
followed by 0-RTT data and finally an EndOfEarlyData alert to end use of
that key, while in parallel the remainder of the handshake and
subsequent session key act almost as a further resumption (i.e. under a
different key).

Making EndOfEarlyData an alert message also allows for clear key
boundaries: if EndOfEarlyData is a handshake message, then we are mixing
messages protected by the the client_early_traffic_secret and
handshake_traffic_secret in the Finished message.