Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Nico Williams <> Thu, 23 January 2020 00:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CEA2912010E for <>; Wed, 22 Jan 2020 16:55:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7NY61UYlGEru for <>; Wed, 22 Jan 2020 16:55:57 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E5DBE12004E for <>; Wed, 22 Jan 2020 16:55:56 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 2FBC48C1A1B; Thu, 23 Jan 2020 00:55:56 +0000 (UTC)
Received: from (100-96-89-22.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id B264D8C1BB1; Thu, 23 Jan 2020 00:55:55 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ([TEMPUNAVAIL]. []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by (trex/5.18.5); Thu, 23 Jan 2020 00:55:56 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Wipe-Inform: 4c73a1683689753b_1579740955975_484427585
X-MC-Loop-Signature: 1579740955975:1975952418
X-MC-Ingress-Time: 1579740955974
Received: from (localhost []) by (Postfix) with ESMTP id C6816816CA; Wed, 22 Jan 2020 16:55:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=xOsoHN1hgLFA5a TqvMS8vfcUz2U=; b=fc22TVVXIfrcYbOmDVy0Dg2wwOd5d2x8/VBvm8fb63x+jd YA38VdYXJ54mgM4YfGQO9UDtIF5Wmb0UzKsbDa0oZpYRVWXp8cge5f1KDIXwCYTP v2Qs2KelGHMvmqdjX5ojtz2O0r9r/LO9Zow3vNNB47ziRMFGCeign8ni1PQBc=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 2F279816C6; Wed, 22 Jan 2020 16:55:51 -0800 (PST)
Date: Wed, 22 Jan 2020 18:55:49 -0600
X-DH-BACKEND: pdx1-sub0-mail-a13
From: Nico Williams <>
To: "Salz, Rich" <>
Cc: Martin Thomson <>, "" <>
Message-ID: <20200123005528.GA12073@localhost>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrvddugddvhecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Archived-At: <>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Jan 2020 00:55:59 -0000

On Tue, Jan 21, 2020 at 06:19:23PM +0000, Salz, Rich wrote:
> Viktor and I spoke in more detail.  The use-case he brings up makes
> more sense to me now. The key observation is that this is not about a

I also spoke to Viktor, and he explained the motivation in detail.  He
really should have done so on the list, but it is this:

    TL;DR: Postfix multi-process ticket cache DB thrashing pain.

 - Postfix (which he co-maintains) is a multi-process service (with
   client and server functionality -- it's an MTA, after all)

 - Postfix needs a multi-process ticket cache w/ concurrency

 - OpenSSL provices no such thing, only a single process in-memory
   cache, and also callbacks the app can use to implement its own cache,
   which then Postfix uses to implement a multi-process ticket cache

 - So, getting unnecessary tickets thrashes Postfix's shared cache,
   which costs a fair bit due to synchronization

There are two ways to make this tolerable for Postfix:

 - either the TLS server says "here's a ticket and you MUST or MAY
   replace the one you already had"


 - the TLS client gets to ask for no unnecessary new tickets

Now the first alternative would be infeasible to adopt because it would
require new OpenSSL callback APIs, and anyways would be a more invasive
change to TLS than the ticketrequest extension makes.

That's why Viktor would prefer the other way: let the client ask for no
unnecessary new tickets.  This has the benefit of saving some bandwidth
and server cycles.

Now, as to the privacy issue.  The server can simply always issue a new
ticket, even if the client didn't want it -- presumably MTAs wouldn't,
but HTTP servers would.  And there is no way for -say- a great firewall
to force you to not get new tickets as the server can still always hand
the client one, and anyways, this extension can be (should be!)
encrypted, so the firewall can't know anyways.  All a great firewall
gets to see is that your connections can or can't be linked.  Especially
given Viktor's use case, we can assume (and require, evven) that only
SMTP MTAs might request no new unnecessary tickets, so that great
firewalls really can make no assumptions about this in HTTP use cases,

> "client" in the conventional (or browser) sense, but rather more like
> a peer-to-peer kind of thing, where the client is just the one who
> initiates a connection and might be multiple processes running on
> multiple instances sharing an identity.
> I'm in favor of his suggestion.

Me too.

It's really very simple.  There is no legitimate "unnecessarily complex"
argument; such arguments come across as unnecessarily dismissive.

There is a privacy non-issue, addressed as above, though it's fair to
demand that it be addressed.

Regarding the "define your own extension" responses...  That's fine, I
suppose, but why ever bother with WGLCs for these if changes that
benefit others will generally be rejected out of hand?  Why require TLS
WG review of extensions?  Why not just make an Expert Review registry?
I think the answer to the last question is that we're not ready for that
-- we want some WG review, and, presumably, we want some commonality.
So, unless we're going to go with Expert Review only, then please do not
make this "define your own" argument -- it's at the very least impolite.


PS: Viktor tells me that hey, I've advised him to keep posts pithy, thus
    he elided all the above explanation, but really, IMO, he should have
    explained in detail.