Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 11 October 2019 21:35 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60399120805 for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 14:35:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.865
X-Spam-Level:
X-Spam-Status: No, score=-0.865 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ck_ORmnjZlFP for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 14:35:05 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C8B4120816 for <tls@ietf.org>; Fri, 11 Oct 2019 14:35:05 -0700 (PDT)
Received: from [10.200.2.180] (sdzac10-108-1-nat.nje.twosigma.com [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id EAFC92B6D07 for <tls@ietf.org>; Fri, 11 Oct 2019 17:35:03 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <0c195775-2039-4239-9a4c-66d5c650e9ae@www.fastmail.com>
Date: Fri, 11 Oct 2019 17:35:03 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: IETF TLS WG <tls@ietf.org>
Message-Id: <B430C336-6796-47C8-AC6C-AB4C4A245E16@dukhovni.org>
References: <156962803631.24993.3421537129925787732@ietfa.amsl.com> <8c2b10b3-bfc2-44b0-997a-1cab0789f1b7@www.fastmail.com> <2781261d-bfa2-4c40-9ca4-6a3a1c9266df@www.fastmail.com> <5816BBD1-14EE-4B72-AEC4-AC7D576C4823@dukhovni.org> <0c195775-2039-4239-9a4c-66d5c650e9ae@www.fastmail.com>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9OHF9zRLS-WubsbLmIiZxU76EHc>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 21:35:18 -0000

> On Oct 11, 2019, at 4:55 AM, Martin Thomson <mt@lowentropy.net> wrote:
> 
> Yeah, I agree that this is a little thorny.  However, the client asking for one extra and the server vending one more is a relatively small extra expense AND we discourage reuse in the general case.  So, at least from my perspective, this isn't that serious a problem and shouldn't block publication.

In Postfix, multiple SMTP client processes share a 1 slot external
session ticket cache, and expect to re-use tickets until a new one
is issued by the server.  This works poorly with servers that don't
allow re-use, and updating the cache on each connection is rather
wasteful on both ends.

Presently, the Postfix SMTP server assumes clients of the same kind,
and always only issues new tickets *as-needed*.  If clients could
signal their real requirements, that policy would no longer need
to be hard-coded, it would just become a default for clients that
don't send this extension.

Perhaps the solution is to say that clients that don't send the
extension get default application-specific behaviour, possibly
"refresh only as-needed".  If they prefer to always get a specific
number of tickets, they can request that number.

Then I guess I could attempt to honour the extension, and revert
to default behaviour in its absence, making sure that the Postfix
SMTP client either does not ask to send the extension, or invokes
some appropriate OpenSSL interface to ask that it not be sent as
appropriate.

-- 
	Viktor.