Re: [TLS] PR #493: Multiple concurrent tickets
Eric Rescorla <ekr@rtfm.com> Sat, 04 June 2016 18:29 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3575612D595 for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 11:29:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qC8l4ggMN8D for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 11:29:22 -0700 (PDT)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13D9B12D0B6 for <tls@ietf.org>; Sat, 4 Jun 2016 11:29:22 -0700 (PDT)
Received: by mail-yw0-x22c.google.com with SMTP id x189so108289602ywe.3 for <tls@ietf.org>; Sat, 04 Jun 2016 11:29:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=B0L+Qn0YTjSYV+877kcMSVSzdcgKqfC5jWaHUZzfZsk=; b=kzus9e0iGW3WMCUhJiPHidQDtY8uk7mtfVqMUYUILs8OnsFKEanfdW3+mzyhjRj/1C RlbaYd8DWz1/VM4zrVU+zSqSxnogE+Q5kX/t+QkWkL6EqseMeAnIU3kUnaoGZ7ycNzK+ xjgjUOorn5DkmnC9tPxgdo9wc4bkKijy/rCBanILgdaOulXf0uztRo2wrmOxw3EA4Kln 2ihXlOK8TauNI/O51VZ9d9Fv5wq6NtiTXhVWmmPW7nCzQoVpdr2UkROZCzELUhOydU1O hLvQrTxhE1+EE1N2oua3z1iAfhjTRsfvQLjMiqnbQtZJMMVuz5a8zClhdKCzZklC0BGS DvtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=B0L+Qn0YTjSYV+877kcMSVSzdcgKqfC5jWaHUZzfZsk=; b=R30GPjc3Z52/PHZjoAeZXK2O3vvOCFekPzIq97YDgzaIELntUGhKeU8TnLE3+58j2g 5058rINFsZYQ8BhjsOavUjMM2WaJZTVEcWaA+AweP6oeUjEfbl17GerGcbaxdhYT0YdA rg/wigqs1T+SNI5DvS7jxdqI8IviYKof/i3BZgu4NiJ8AVH/3xbPsKlTibs+KBIDx/sD bY4QzYva6E42YLU0fwWNw8wu3JK4lIkf4rXJnBc7IZcQUMtuOjxa52KTv2kLsoRN4W5k OVlGiKqghT8zmq2ODc0ndlf+3tVi5W80YUe5tUqPjxMz88wLJXoABdpFqvapdOoqILLz xohw==
X-Gm-Message-State: ALyK8tJxIFbVhyLac+PS+MBu0ZF7vgTyj5gBCGzC1pWmJqtxxODz6PLpimR+Qu869Ixz7Uxwn9WJLAgaYtycfA==
X-Received: by 10.129.164.145 with SMTP id b139mr7124167ywh.171.1465064961224; Sat, 04 Jun 2016 11:29:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.230.76 with HTTP; Sat, 4 Jun 2016 11:28:41 -0700 (PDT)
In-Reply-To: <CAF8qwaCCYcdMjh_0g4tstkmF93XzHjGB_WTNdTCf6A22aRNWLg@mail.gmail.com>
References: <CABcZeBMo9U7_wZeXpEosPFa4KiC4eq3LGOvDtSAy5NNz7jc0dQ@mail.gmail.com> <CAF8qwaBe5s74qWrA5+NSpc18Z631a7pYdrx6H=m=nTpQheHcUw@mail.gmail.com> <CABcZeBOE5md1kz2NcnobgvLXEC1yMH=0U_-_Y+pN2NZ=C0xH=w@mail.gmail.com> <CAF8qwaCCYcdMjh_0g4tstkmF93XzHjGB_WTNdTCf6A22aRNWLg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 04 Jun 2016 11:28:41 -0700
Message-ID: <CABcZeBNkXt2UeFe+tUEy2H4rKT+dLCz5SL-SpHV_GXo17pGykQ@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: multipart/alternative; boundary="94eb2c128ec2965e27053478049a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8rcJWh5vZ_FQXx3dbYSI2ZizjNc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR #493: Multiple concurrent tickets
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2016 18:29:25 -0000
Yes, these are all reasonable points. It's purely a matter of thinking one might want to minimize the number of anomalies. But maybe that's not a useful goal. -Ekr On Sat, Jun 4, 2016 at 11:10 AM, David Benjamin <davidben@chromium.org> wrote: > Wouldn't the server be required to handle such a case anyway? If it's > doing post-handshake auth, it wants to do something reactive, such as based > on HTTP request or so. But that means I may have not hit an auth'd URL, > saved the session, resumed it, and then hit an auth'd URL. Or perhaps I > have two connections, one of which happens to hit auth'd URLs and the other > happens to hit unauth'd URLs. There's no ordering between the two sets of > sessions, so the unauth'd one may win. > > That means servers must already allow for resuming an unauth'd session, > hitting a auth'd URL, and sending a fresh post-handshake > CertificateRequest. If anything, I wouldn't want to encourage servers to > assume they can make assumptions here. (I have seen some sites make > strong assumptions of this sort, and they've been sufficiently strong that > they're unsupportable. It's basically incompatible with having any parallel > connections at all.) > > Incidentally, Chrome will never offer or store sessions on renegotiation, > the exact opposite here, and no one seems to have noticed. > > David > > > On Sat, Jun 4, 2016 at 1:16 PM Eric Rescorla <ekr@rtfm.com> wrote: > >> I don't think it's principally about discarding keying material, but >> rather about allowing the server to attach state to a ticket and then have >> predictable behavior. Consider the obvious case of post-handshake client >> auth (which I know you hate) and a client which has tickets issue before >> and after the auth event. If it tries to use them both, that's going to be >> annoying (though I agree, not fatal). >> >> Anyway, I could live without doing this now (part of why I added ticket >> extensions is to let us make these decisions later), if nobody else thinks >> it's that valuable. I *do* think it's important that we make sure that >> analysis supports multiple tickets pointing to the same underlying RMS. >> >> -Ekr >> >> On Sat, Jun 4, 2016 at 10:06 AM, David Benjamin <davidben@chromium.org> >> wrote: >> >>> I'm not sure I follow why the additional "generation" machinery is >>> necessary. >>> >>> What do we gain from having the server to tell us to discard a ticket >>> beyond what the ticket lifetime already gives? This doesn't seem an >>> effective way to discard key material since, unlike the ticket lifetime, we >>> need a live connection to the server at the time. Beyond that, if a client >>> uses a ticket the server no longer likes, we'll just fall back to a full >>> handshake. That seems fine. >>> >>> I would favor simply saying the client SHOULD prefer to use more recent >>> tickets over earlier ones (since that's probably a good idea) and that >>> clients which expect to open multiple concurrent connections SHOULD retain >>> a window of several one-use tickets. We can always add this generation >>> thing back in later as a TicketExtension if we change our minds. >>> >>> Am I missing something? >>> >>> David >>> >>> >>> On Sat, Jun 4, 2016 at 11:52 AM Eric Rescorla <ekr@rtfm.com> wrote: >>> >>>> https://github.com/tlswg/tls13-spec/pull/493 >>>> >>>> Currently the server can send multiple tickets but we don't say >>>> anything about the semantics. >>>> So, say a server sends tickets T_1, T_2, T_3... T_n, and the client >>>> wants to initiate m < n connections, should he use: >>>> >>>> - only T_n >>>> - T_1...T_m >>>> - T_n, T_n-1, ... T_n-m+1 >>>> >>>> The intuition I have had is that we want the third option (latest wins, >>>> but allow multiples for linkability) but the spec doesn't say and there >>>> aren't any semantics that tell you, so I think we want some way for the >>>> server to say "these group of tickets are all co-valid". >>>> >>>> I've just created PR#493, which provides an explicit mechanism for >>>> this, "ticket generations". Tickets with the same generation M are co-valid >>>> and a ticket with generation N expires all tickets with generation M < N. >>>> The nice thing about this encoding is that a client can implement the old >>>> "one ticket at a time" behavior by just ignoring the generation and taking >>>> the last ticket. >>>> >>>> I wanted to call out to cryptographers/analysts that this formalizes >>>> the existing practice (going back to RFC 5077) of having multiple ticket >>>> values tied to the same basic secret (though less so with 1.3 because >>>> tickets issued on connection N+1 don't have the same RMS as those on >>>> connection N). If there is a problem with this, that would be good to know. >>>> >>>> Barring major objections, I'll merge this Thursday. >>>> >>>> >>>> -Ekr >>>> >>>> >>>> _______________________________________________ >>>> TLS mailing list >>>> TLS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/tls >>>> >>> >>
- [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Yaron Sheffer
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets David Benjamin
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Jim Schaad
- Re: [TLS] PR #493: Multiple concurrent tickets David Benjamin
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Kyle Rose
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Kyle Rose
- Re: [TLS] PR #493: Multiple concurrent tickets Antoine Delignat-Lavaud
- Re: [TLS] PR #493: Multiple concurrent tickets Felix Günther