Re: [TLS] Simpler backward compatibility rules for 0-RTT

Watson Ladd <watsonbladd@gmail.com> Thu, 23 June 2016 14:26 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53D5B12D0DA for <tls@ietfa.amsl.com>; Thu, 23 Jun 2016 07:26:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ANs8VklOhP1 for <tls@ietfa.amsl.com>; Thu, 23 Jun 2016 07:26:40 -0700 (PDT)
Received: from mail-vk0-x236.google.com (mail-vk0-x236.google.com [IPv6:2607:f8b0:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D03B12B029 for <tls@ietf.org>; Thu, 23 Jun 2016 07:26:40 -0700 (PDT)
Received: by mail-vk0-x236.google.com with SMTP id d185so108421087vkg.0 for <tls@ietf.org>; Thu, 23 Jun 2016 07:26:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8Y1ATggzQNVtJosX6gDFpyh1FLscSpn000lzKHaoEWM=; b=LegaSROoykrFZNtfz63nG/DmckHEuZU1poMBo+227RlyYV116TGjyjZjplEInKEhFa CP5Iwy5hMwqr7UnLQopYSGnH8uSFNV+zmpMvIojmOj/7hLnS3hVrWF0uo4gQaHq/e4Z/ NsbSDjmqxMPCEEokdZpZDM9W6M+XZKYXXPjEmf3uQHyXYGr9vn97A3zbyh9Y8Cyn0t5s NqUwlaD5SUa3zkaBm1jocvA7nUT0jAV71FR3hwUTTN2Lb9naKkNseRghOPDeJBtziLXG xM3TCIYBCYeX985hWzEtyETGhzgAKEJGF2o3EvVbDFoeoCHNEtszt0AgDkPn9BHADeOg uAsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8Y1ATggzQNVtJosX6gDFpyh1FLscSpn000lzKHaoEWM=; b=QzEueZxOKzJz3UJbnSI164beyiZxS56YQNnq+rMtKG7De8PkpS/5U29D1YBDn72zCj gKQffxbiVIzA+6QZVKKjfNH42hua8DELEcf9pYpwbx+eZVfbnr5uBQyjiL3tc5Tm5oLG LTaxRBlyZf3iWl+7+UxUPOZF9SE16966m/w4CCtCYeil9+7ath08x2SIe7Zu5gl6OKZB cI3E4yWuFdk5+5hwRCHb9WsBEwllzQrfBOFDe/7tJZtkKR6U7/NyFbQtfjDqfHAiQ7nt ucwU4qpTOPyVIcZEr6V1FEj0h9R0+60B7M+dY4MKOZI8o5trM9E0tyWgv8hy6rs72Wvs 5L+Q==
X-Gm-Message-State: ALyK8tKX14gWTy2hSuUVz9+CAG9rA4JqUea1vtpJZIbhSjczTwZreTSMFEoaSt7GjF2JDA/od2Jfx0f/y6FEcQ==
X-Received: by 10.31.129.203 with SMTP id c194mr6434410vkd.26.1466691999092; Thu, 23 Jun 2016 07:26:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.35.78 with HTTP; Thu, 23 Jun 2016 07:26:37 -0700 (PDT)
In-Reply-To: <CABkgnnV4+_TvAGQ2SYWi+REnxSLgV+D_H3gKw0Rz6fswqd8iiA@mail.gmail.com>
References: <CABkgnnVgD2rTgdWkTEhd1b6CUpj_i7wD4-_E2Dd2=nJf1eW5RQ@mail.gmail.com> <CAJ_4DfQ1ttyF0z9vwmuq-yEvbHrh+93k3rkJ7gzgDQZoQnuUpQ@mail.gmail.com> <20160621175413.GB2989@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaCQSERcYNr42=DB-ZcBQde5qkrk8R_AD2qnnEsdwi7NoA@mail.gmail.com> <CABkgnnUsnz3Uh8dH=ke9uO82cgP3S7nJ0fgcs=JpsZu3qr0K0g@mail.gmail.com> <CACsn0c=EcXyrB83HnSbWWrQG5T2AjDQdG2D408qiDjqXEY3Htg@mail.gmail.com> <CABkgnnXdFJHEA60x-KObf_dT1aS5ys49mO4Uffmmw4sKwNX8Yg@mail.gmail.com> <CACsn0cn=B36Tn0O=RaUebAtjqxRVcQFD+kWyFVfXELiHY2ux2w@mail.gmail.com> <CABkgnnV4+_TvAGQ2SYWi+REnxSLgV+D_H3gKw0Rz6fswqd8iiA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 23 Jun 2016 07:26:37 -0700
Message-ID: <CACsn0cmaEcKJsPg418oEoq_QX=+AS-JXzTgp5E=QF7yk_Nqq5w@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BmManh8XY1HTjzDKYkGtN53Dab4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Simpler backward compatibility rules for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2016 14:26:42 -0000

On Tue, Jun 21, 2016 at 8:58 PM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 22 June 2016 at 12:01, Watson Ladd <watsonbladd@gmail.com> wrote:
>> Why isn't 0-RTT an extension in the Client Hello to deal with this?
>
> You can't stream extensions, which unfortunately is required given how
> most software interacts with their TLS stack.

A few months ago we had a lengthy discussion on the list and at TRON
about how risky 0-RTT is. This culminated in the idea that 0RTT data
should be provided through a distinct channel to the application,
along with feedback about whether it was not accepted. If we're
willing to change the interaction pattern to support that, we can
accommodate using 0RTT as an extension by gathering it all and sending
when the handshake happens. But it sounds like you are discussing a
design where the handshake fakes completion if 0-RTT is on, and at
some point later "well, i didn't actually send the data you wanted
to". Or am I missing something about the API design that is motivating
this streaming approach?

>
> Let's be clear, the actual risk we're talking about is pretty-much
> confined to screw-ups.  The deployment screwup where you left one
> server speaking TLS 1.2 somewhere before turning 0-RTT on; and TLS
> MitM, which calling a screw-up might be too positive a statement.

Or you turned on 0-RTT and then got a security advisory resulting in
rolling back to TLS 1.2.
>
> Of course, David is right that screw-ups like this are too common for
> us to do nothing about them.



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.