Re: [TLS] Security review of TLS1.3 0-RTT

Colm MacCárthaigh <> Fri, 19 May 2017 20:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9A87312945A for <>; Fri, 19 May 2017 13:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JVH-l0CoMGHP for <>; Fri, 19 May 2017 13:18:31 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ECCE5124BFA for <>; Fri, 19 May 2017 13:18:30 -0700 (PDT)
Received: by with SMTP id l14so39739456ywk.1 for <>; Fri, 19 May 2017 13:18:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/96ZD0HZAe7UH1q+dTszIRABA+9Mbd9yT4HIwW5saBo=; b=AevEvDGe+sesn+8xl3o4doXWWpoV1urynduvqE+aC+FaDPhtLbu/BYrbSrFiZ1gqcK kMfOJxI27vhPVDszXrWuHJSueLA9BW+cVFj/D5A/vJyq/4ojo2YQk1VNSsBCjlqv8qk6 Vl9+olJ5SaHbscyK2ng7NlYgEh2fRMRIFzTGZ251r7Vheb6VAmAi5Yjygu9xOzxoedIi Bloql3wvTxEQ7dcM5aA5PVvBuqCmnkr0zWVjjifKulVjyEoklzJA7LTytrLty1gR1RNz qNXzw2Rd4+CCv1yhE+e1O3/FeiZjqHNKTst1U3rNjivtvcyJ3n7cABhwbGS3Cu6h8gnG KVug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/96ZD0HZAe7UH1q+dTszIRABA+9Mbd9yT4HIwW5saBo=; b=fGrfRgFaiPsHTC3qBBFWagtGSFkSEbIfjT51z38y2kayoCvsjrEnqk+LPTfsmhTCZZ Ogy4b8drgsUZossYsehsYji2qvvgYMjQhRQ0q9mVmXRc/GY+iPiOjwBNhfPK3/Q6Y4kq sOtT0xn6ckmSdEgBOs3kFSqKoifeFE5Rcwy0V4sABLWAutoTxv5p85t0CGn5mmeAus3s pMrcKQvwtFsxr9DIqU57/2WUYPT07hgwODCrZFzLTPPpuqsyVsWKd0OwX6iIxGOOThnw pcJIm1d5slvaQzZvKdke/A24nl6sjRJFDPba+pq8CCViDSzFj2BenDWHQiss2VGhnONY Hzig==
X-Gm-Message-State: AODbwcCBSucjLtytupRcd+EpeTOwrAqe9QQ/mysogZpiAhIeIwf/Nfi2 tdFYUVAHINCHc4FeL58gmBjRBypDVRO9
X-Received: by with SMTP id u136mr10101724ywg.323.1495225110203; Fri, 19 May 2017 13:18:30 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 19 May 2017 13:18:29 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <>
From: Colm MacCárthaigh <>
Date: Fri, 19 May 2017 13:18:29 -0700
Message-ID: <>
To: Eric Rescorla <>
Cc: Ilari Liusvaara <>, "" <>
Content-Type: multipart/alternative; boundary="94eb2c0b68aa8ddfca054fe6399d"
Archived-At: <>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 May 2017 20:18:33 -0000

On Fri, May 19, 2017 at 11:44 AM, Eric Rescorla <> wrote:

> Yup. There are no known reasons that prevent at-most-once 0-RTT delivery,
>> even with distributed servers for the origin.
> I don't disagree with that necessarily, but if the client responds by
> retransmitting
> in 1-RTT, then you don't have overall at-most-once.

Obviously this is fine for browsers; retry's make sense there anyway, and
so if we prevent mass-replay then there are no new attacks like the
side-channels and DOSes.

If a client needs to be more careful; with a hard-time limit on ticket use,
it can actually reason its way to at-most-once. It needs to wait out the
time limit, then do a read; to see if the original attempt succeeded or
not, and only then retry. That's a fairly common mode in eventually
consistent systems, loss-tolerant protocols and distributed consensus
protocols. For example some S3 clients and PAXOS systems work like this.

Of course it's very inconvenient to have to sometimes block for 10 seconds
(or whatever we pick), in return for a speed up of maybe as much as ~200ms
in the "ordinary" case; but it's the kind of trade-off that an
instrumentation system might make; like an industrial controller - where
day-to-day system liveness is a massive optimization benefit and the
occasional interruption is no big deal.

Super esoteric, and maybe we shouldn't even think too much about it, but I
bring it out because that construction is the only one I've found that gets
to at-most-once delivery; and it highlights that the existing system
explicitly doesn't and might just be needless complexity (the multiple
streams signaling).