Re: [TLS] Security review of TLS1.3 0-RTT

Martin Thomson <martin.thomson@gmail.com> Wed, 03 May 2017 07:05 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CC3E12951F for <tls@ietfa.amsl.com>; Wed, 3 May 2017 00:05:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LkHLhxXt-xyq for <tls@ietfa.amsl.com>; Wed, 3 May 2017 00:05:18 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC186129549 for <tls@ietf.org>; Wed, 3 May 2017 00:03:03 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id u65so135744753wmu.1 for <tls@ietf.org>; Wed, 03 May 2017 00:03:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1PVug8daZg6ku3parucry8cc2T584zzs73hUzV57iRU=; b=hkAXemfIvYCgFGcwmDx5bvu/orZnWHV8YBNwQrlVc6ruwLhBT7723mBTZQUkekKU4l fe6V8uw8CvIGDfb8euTtRpBOBqS+2agSTva/zeMSnqvH5poHg25CGxAsJ5EKb8wRMzpH xH+0a8s1xKpCq2Ft1jmV2KyHS3GWKQrZqERtuU4JjXfLsDb7Qq6BAOi5mngagaJv0DZG iWR0hfvaEZb2yxmAGpIe77u9OHQlkj4c+VLkL0N0OJvTo+bC/cN5dG0ghQs13oUQam74 hYT2xH8+CP4Xj5KFMJg7R2/irBG+ez6rIuM4C1JoQ3xLpNUOk/sSai4FTAiPAYBq6Hov GuIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1PVug8daZg6ku3parucry8cc2T584zzs73hUzV57iRU=; b=X0y/UFLJHhp9Uh/ea/gpC3nygTKBbRI52o+FTqUrcV6gOEBU8W0gr7f8KxPynpVHkL KNXoKwalc8IXuh4VJx1zf83MpV0pi0QPqnbJ8EfSh0UH5FXvSNtGpwPcaIVtvDL7ETtb zR2SvpcGHyMIREI+xRSoXLs5qbiaNpPC3mrHzl67O9IkZpdMCZxSKkNRQPp8zQuXDphC Tw8vg+mCB/DR0f3QY2F55iQLCye82w5Mu5iljI1hv0nGoDqhF5kBK0esEoPf8VzEgMDL aEn2ckTcgg3pLaIsvk5ufhWyAdN5xgwVCQ8Xc5Ml8ShTb4PJ4TgrvLQAuFbBxIwRDkka Tu/Q==
X-Gm-Message-State: AN3rC/7cZC5fGCaJEF69UHYY91KKRoX03dj6DvzkrcTHkmc+pEH3e9OJ /wi4d9ixvwdwOtHLZmfz87zkGPDUMI16
X-Received: by 10.25.213.130 with SMTP id m124mr11187992lfg.50.1493794982386; Wed, 03 May 2017 00:03:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.83.2 with HTTP; Wed, 3 May 2017 00:03:01 -0700 (PDT)
In-Reply-To: <CAAF6GDd5TkbmwCD2Ucoi7VPR7h+EcO40=KsDwvwKuT-Am8cQUA@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBPP1j5O_4d=fjN4XF65OSgg=8YSRFbs3-PKTGNQZXwvNw@mail.gmail.com> <CAAF6GDd5TkbmwCD2Ucoi7VPR7h+EcO40=KsDwvwKuT-Am8cQUA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 03 May 2017 17:03:01 +1000
Message-ID: <CABkgnnWZTycggqYgQcKg2MoRTsHEVYpf0Uv87npoTu4FZhx6VQ@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/D9qjr_AQQ5kfU3uo8RLHv1q_V58>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 07:05:19 -0000

On 3 May 2017 at 15:32, Colm MacCárthaigh <colm@allcosts.net> wrote:
> I've been thinking more about this. What if tickets are single-use when used
> with 0-RTT, but otherwise allowed for multiple uses? If that's acceptable,
> then could we drop the age from tickets purely used for resumption. That way
> the age would only appear on tickets that are used once.

I could see the way to moving the ticket age to the early_data
extension.  It saves a few bytes in an uncommon case, complicates a
bit of the design, but otherwise isn't overly disruptive.