IETF Logo Mail Archive

Re: [TLS] Call for consensus: Removing DHE-based 0-RTT

Martin Thomson <martin.thomson@gmail.com> Thu, 31 March 2016 03:33 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87D9D12D529 for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 20:33:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7Um7hoBKPhA for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 20:33:30 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE79512D524 for <tls@ietf.org>; Wed, 30 Mar 2016 20:33:29 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id a129so91871366ioe.0 for <tls@ietf.org>; Wed, 30 Mar 2016 20:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=/74gMCwL0lPRSbICF2DgVz7hMYNwXzqqWRMIuDuTnE8=; b=CdbhF1/X+1h/YFvyxqT3TRCNhSMBMwjgRhrFyHI2/YhB+aI7OKn0hJsEU9cY+8RFKa Y56vMswpfZrBulp2Pn6psY2IAQtjnqCBxKw2a507gBDyv/dTN0Puw8Vk8AhTthYk9bm8 zKtiRw7Eg4tJRtd1cJwHnQTsfcnFK0MXZdZKyMpRlqI1GWDEaFEn3MBb8wL3dIm4N1cu eDrriOB93xGLTkmsi8daByJXZUyRHdy1tSKAZc9743dycfE6oNPRaIAMQwK4ZZPkT2iJ olR+db7aRq9dJ6zTqeVpHm5LMZ0mHR0A2XbG9erxHACsw3JXI5kILBs8fJTpfr5gqBv+ 4rJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=/74gMCwL0lPRSbICF2DgVz7hMYNwXzqqWRMIuDuTnE8=; b=SmtMPF4sjmJZcPDMCX8/1MBKYFlsUTBiD5kfQRuANCuXsqA4EFpsxj4EPkeZiu+NQh S260MQkULVYYG0DHdHYbEefI2PDId2GL+HYqAjUhW0zeWsY4gjpTb7RkTT9c2ZLVJ/GP OA0tmPwtKp2WcQgiZ3zPqE4lfaajK1Fw/67dEgRvVFdFNH4VM2k/X0wzpI0jLVMp5GC+ XjCQSl7Ta6EIG+EusqOeYdF9TvV0RBCL5td6alwyTXa+z2AO5pcOMWyffDA8ln34owYA P5nMTDuklEswYOtKftS8BlvSn117q8KfhiE2CICJpvVAQ5io/dkU0AbBfjjnoJIJ+rwe GjWA==
X-Gm-Message-State: AD7BkJJeIFtXogVBhL2boE3P45Qrnr16zVNtXf2zcfP9PUR2UxxJ6Zrhhk0npFvRdb5xsoQd6dNpgtFIr2LhXw==
MIME-Version: 1.0
X-Received: by 10.107.137.100 with SMTP id l97mr2736973iod.100.1459395209338; Wed, 30 Mar 2016 20:33:29 -0700 (PDT)
Received: by 10.36.43.142 with HTTP; Wed, 30 Mar 2016 20:33:29 -0700 (PDT)
In-Reply-To: <CALTJjxFftq6_eM2PERS=eC=j20EmG1_hBVLq994vtTq+SWjsSw@mail.gmail.com>
References: <063B3B0B-B141-459C-890F-9E001655936F@sn3rd.com> <CALTJjxHDwTgVoCbHpLdAJft1U0h0i0Lt4BknSOJUn6O5yoVj-Q@mail.gmail.com> <CABcZeBNJQbSBUA2LSGJDToM9boRyVy_n+=QrngF1nnTe9Fzh1g@mail.gmail.com> <CALTJjxFftq6_eM2PERS=eC=j20EmG1_hBVLq994vtTq+SWjsSw@mail.gmail.com>
Date: Thu, 31 Mar 2016 14:33:29 +1100
Message-ID: <CABkgnnX__CSHcpV4Va4OQS6Nz2ZT-uCn6DFoYDeEwfc-_tbLPg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Wan-Teh Chang <wtc@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/D51tnjMIVXigYotj8qwkLahv4zs>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing DHE-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 03:33:31 -0000

On 31 March 2016 at 12:41, Wan-Teh Chang <wtc@google.com> wrote:
> But if you already implemented the first row, which is a must, the
> incremental effort to implement the second row seems small -- you just
> need to use server static instead of server ephemeral for SS.

Someone recently suggested that handling the SSLv2-compatible
ClientHello was similarly easy.  It wasn't by any measure simple or
straightforward.  Sure, the request was entirely reasonable, but I now
wish I had pushed back harder.

This involves a different session transcript as input, all the
machinery involved with the ServerConfiguration message, and all the
switching logic associated with a new mode.

I'd rather reduce this to the modes that we know that we need now,
particularly since we know how we could retrofit a DH-based 0-RTT into
a PSK-based protocol.

v2.23.0 | Report a Bug | By Email