Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 21 January 2020 22:53 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F289120639 for <tls@ietfa.amsl.com>; Tue, 21 Jan 2020 14:53:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWgdIKJlV5jJ for <tls@ietfa.amsl.com>; Tue, 21 Jan 2020 14:53:29 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11854120846 for <tls@ietf.org>; Tue, 21 Jan 2020 14:53:29 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 56A9149A73; Tue, 21 Jan 2020 17:53:28 -0500 (EST)
Date: Tue, 21 Jan 2020 17:53:28 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20200121225328.GS73491@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <CADZyTkmaUVj=sFdgg93MuM2au0B=1M1k3yCA1XDoaAneVDmnNw@mail.gmail.com> <14690874-E301-4BC0-B385-00DEBCBA94C2@apple.com> <20191120034812.GQ34850@straasha.imrryr.org> <5FBFE820-8C53-4B32-9520-343279C1A6CC@apple.com> <20191120064819.GR34850@straasha.imrryr.org> <CAPDSy+6DFJ+OYRtYK6eEiUt1noiik4KxqrGFx0ro_RL2Mft_VA@mail.gmail.com> <fd37bd2a-c799-4bf4-95b3-65943681683b@www.fastmail.com> <20200121055411.GJ73491@straasha.imrryr.org> <CABcZeBP=BetaxVo5v-khdykP0U3P6j-e+hL307o8Wn3KC9rmhA@mail.gmail.com> <20200121224610.GR73491@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200121224610.GR73491@straasha.imrryr.org>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DLxa6A8MtYoA17tjtoBR-K-uH8A>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 22:53:34 -0000

On Tue, Jan 21, 2020 at 05:46:10PM -0500, Viktor Dukhovni wrote:

> > 2. The additional cost of multiple tickets seems extraordinarily
> >    small, so I am not at all persuaded that there is enough value in
> >    this use case to justify adding new protocol machinery, even
> >    ignoring point (1) above.
> 
> Postfix has a shared cache (indexed by destination domain+mx host) for
> multiple independent processes racing to use the cache to make remote
> SMTP connections.

I should add that currently Postfix servers with OpenSSL 1.1.1 (i.e.
with TLS 1.3 support) always send 0 tickets on resumption, i.e. expect
that SMTP clients are willing to reuse the previously vended ticket.

Thus a key benefit of the proposed refinement to the extension would be
to allow SMTP clients that want a fresh ticket to unambiguously signal
that intent, and thereby allow *greater* use of single-use tickets.

It would also Postfix differentiate between MTAs and MUAs, where the
latter are likely to want fresh tickets, but even on port 587 or
465, not all clients are MUAs, some are null-client MTAs relaying
to a "smarthost".

--  
    Viktor.