Re: [TLS] 0-RTT & resumption

[Eric Rescorla <ekr@rtfm.com>]

On Sat, Jul 25, 2015 at 8:53 PM, Dave Garrett <davemgarrett@gmail.com>
wrote:

> I'm pretty sure some/all of this was likely mentioned elsewhere, but I
> don't see any discussion on-list. (it was mentioned in part of the IETF 93
> recording I watched as this whole topic needing to go to the list, as well)
> There's also related TODOs in the draft on this topic. Here's a start to
> this discussion.
>
> Basically, there's two modes with similar use-cases in TLS 1.3 now: 0-RTT
> connections using the known configuration extension & PSK-based session
> resumption. I don't think their roles are well defined yet.
>
> 1) There is no 0-RTT resumption. The point of resumption is to get back
> into the session quick, but it's arguably slower than not doing it,
> currently.
>
> 0-RTT can do first flight (repeatable) requests:
> https://tools.ietf.org/html/draft-ietf-tls-tls13-07#section-6.2.3
> but PSK-based resumption needs 1-RTT:
> https://tools.ietf.org/html/draft-ietf-tls-tls13-07#section-6.2.4



We agreed on how to do this in Prague. The sticking point was establishing
the cipher suite. I have WIP text on my machine for both of these which I
will be
sending early next week, once I get enough sleep to be able to clean it up,
so I'd ask people to sit tight till then.


2) There's not yet specifics on what cipher suite to use for PSK-based
> resumption.


The consensus in Prague was that you should have to use a matching symmetric
cipher suite.


I don't see a point in doing PSK-based resumption with anything other than
> plain PSK, with no PFS (no (EC)DHE). If you're willing to do the extra work
> for DH, just go straight to normal 0-RTT to get more benefit/flexibility
> with a similar amount of work. The goal is really to get forward secrecy on
> the session, not necessarily every single connection within it. (not that
> it wouldn't be nice) As long as the resumption is within a reasonably short
> window (e.g. few minutes), not doing another DH is fine. After this window,
> normal 0-RTT should be the preferred route.
>

I don't think this is correct. The reason is that resumption also resumes
the client's
authentication state, and client authentication often involves user
interaction, which
is undesirable from the site's perspective. So, it's actually quite
attractive to do
resumption with (EC)DHE. It's also significantly faster if you have an RSA
certificate.



> 3) Just to state the obvious: If a client is going to do PSK resumption
> with a non-PFS suite, it needs to offer a non-PFS suite. Even if it's not
> really going to be negotiated for anything else, I don't really like the
> feel of this. I think it'd also be cleaner if the offered suites didn't
> have to change for resumption. One idea would be to rename the groups
> extension, again, to "supported_key_shares" and mark point 0 (or some other
> if we want to leave 0) as PSK-resumption, specifically.


Yeah, we discussed this internally, but I think it's clumsy. I'd rather
just offer two separate
cipher suites.

-Ekr