Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Viktor Dukhovni <> Sat, 16 November 2019 10:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5734E120119 for <>; Sat, 16 Nov 2019 02:05:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tFNQI1BMkUOc for <>; Sat, 16 Nov 2019 02:05:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF278120019 for <>; Sat, 16 Nov 2019 02:05:47 -0800 (PST)
Received: by (Postfix, from userid 1001) id C318332E666; Sat, 16 Nov 2019 05:05:46 -0500 (EST)
Date: Sat, 16 Nov 2019 05:05:46 -0500
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 Nov 2019 10:05:50 -0000

On Thu, Nov 14, 2019 at 08:05:34AM -0800, Christopher Wood wrote:

> The only comment that was not integrated was the desire to use the hint
> to express not only a count, but also a bit indicating whether or not
> clients will accept a ticket if the server needs to send one (e.g., if its
> STEK is about to rotate and any old tickets would expire). The authors did
> not incorporate that into the document since it added complexity and there
> didn't seem to be much support for it.

I was hoping Matt Caswell would chime in with his perspective on this topic, as
he and I together refined the ticket generation logic in OpenSSL 1.1.1.  But,
it seems he has not been able to find the requisite cycles, so I'll post my
summary comments as best I can:

1.  The tentative proposal was a client-side indication that new tickets are
    optional, and only needed when the presented ticket requires replacement.
    If still re-usable, accept it without issuing a new one.

    The goal was to make it possible for a client and server to "negotiate"
    re-use, rather than have that be a static feature of the application or a
    given implementation.

2.  The specific suggestion of reserving a bit is more complex than needed, it
    would suffice to simply "subtract 1" from the client's hint:

        0 - (effectively -1), client unconditionally wants no new tickets.

        1 - (effectively 0), client prefers to reuse tickets.  Only issue
            a new ticket if necessary (STEK rotation, ticket expiration, ...),
            or server does not support any ticket reuse.

        n - (effectively n - 1), client would like up to n-1 fresh tickets on
            any full handshake.

    This looks simple enough to me, and allows the client to clearly communicate
    that tickets are optional when reusable.

3.  As noted previously, servers SHOULD NOT generally issue multiple tickets on
    successful resumption, at that leads to unbounded oversupply of tickets.
    Only the server knows whether resumption will happen, or a full handshake,
    and so clamping of the ticket count to 1 on resumption is best a
    server-side decision.

    A client can continue to request the same number of tickets (say hint 3 =>
    2 wanted, per the above), with the server returning that number on full
    handshake, but 1 or zero on resumption.  When the client's presented ticket
    is not suitable for resumption, cleary the client needs new tickets (fresh
    start) and the behaviour should be the same as on an initial connection
    with no tickets from the client.

    The -03 draft added a sentence suggesting that clients should ask for just
    one ticket on resumption, but I would like to suggest that this logic
    belongs in the server.