Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:

Nicolas Williams <> Tue, 11 May 2010 16:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BBE013A6A80 for <>; Tue, 11 May 2010 09:34:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.947
X-Spam-Status: No, score=-4.947 tagged_above=-999 required=5 tests=[AWL=1.651, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NEzzg1bxXgQM for <>; Tue, 11 May 2010 09:34:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E36893A68DE for <>; Tue, 11 May 2010 09:34:11 -0700 (PDT)
Received: from ( []) by (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4BGXs4Z019190 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 11 May 2010 16:33:56 GMT
Received: from ( []) by (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4BCI6an010760; Tue, 11 May 2010 16:33:52 GMT
Received: from by with ESMTP id 255439181273595626; Tue, 11 May 2010 09:33:46 -0700
Received: from (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 11 May 2010 09:33:46 -0700
Date: Tue, 11 May 2010 11:33:41 -0500
From: Nicolas Williams <>
To: Stefan Santesson <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Auth-Type: Internal IP
X-Source-IP: []
X-CT-RefId: str=0001.0A090209.4BE986F5.00BF:SCFMA4539811,ss=1,fgs=0
Subject: Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 May 2010 16:34:12 -0000

On Tue, May 11, 2010 at 05:11:23PM +0200, Stefan Santesson wrote:
> On 10-05-11 5:57 PM, "Nicolas Williams" <> wrote:
> > b) the failure will eventually happen again (since the user will most
> > likely want to talk to the same servers whose objects' checksums
> > collided.
> > 
> Yes, and with the cash for that server flushed, the client will be bound to
> retry without caching (since it has no data cached anymore).

It's not a forgone conclusion that the client will retry.  The retry
will have to be at the application layer, and the application might not
be prepared to retry (since it won't know that the fatal error isn't
quite so fatal).

> The client will then (typically) update it's cache on the next successful
> handshake and problem should be fixed.

If one collision arises once, it will arise again, and again, and again
until all or all-but-one of the colliding objects are retired from use.
The client will have to detect collisions and then mark colliding
objects as must-not-use-from-cache.

Detecting collisions is hard.  If the application does not retry then
you can only heuristically decide that fatal errors imply collisions,
which will often not be the case.  If the application does retry then
the collision can be detected.  The server can't detect collisions any
more reliably nor sooner than the client (the server may have less
context than the client), I think.