Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 January 2020 12:40 UTC

Date: Thu, 23 Jan 2020 07:40:55 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20200123124055.GF73491@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <CAPDSy+6DFJ+OYRtYK6eEiUt1noiik4KxqrGFx0ro_RL2Mft_VA@mail.gmail.com> <fd37bd2a-c799-4bf4-95b3-65943681683b@www.fastmail.com> <20200121055411.GJ73491@straasha.imrryr.org> <97de6364-c628-45aa-8613-ba1a32cc41b2@www.fastmail.com> <A5448AC9-6EBB-48F9-A1B0-A787FBBCFF05@akamai.com> <08A4B0CD-9903-4027-B672-E8C7AFB34B4D@akamai.com> <20200123005528.GA12073@localhost> <CAN2QdAH7t4fPgBfBSO7Ni1As2bVB9QvCw1s9j0ggqvTRUATE8A@mail.gmail.com> <20200123021455.GA73491@straasha.imrryr.org> <87427017-551e-4633-a0d3-75f378879aa9@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87427017-551e-4633-a0d3-75f378879aa9@redhat.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/E6q9P6-PpLoDzGESZE5JlrXa4Nk>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
Precedence: list

On Thu, Jan 23, 2020 at 12:57:31PM +0100, Hubert Kario wrote:

> > The deployed base of Postfix servers issues multi-use tickets (always,
> > there's no extension to tell me otherwise), and sends zero tickets
> > on resumption, so I need to not just throw away tickets that are
> > still valid.
> 
> I wonder if the approach with a database with strict ACID-ity is the 
> correct one for ticket storage.

It isn't "strict acidity", but there never more than one ticket per
peer, stores replace the existing entry, loads read the latest entry
stored.

> What I mean, is that, especially in postfix case, using slightly older 
> ticket that it could will have minimal impact on the connection.

Slightly older is unavoidable, because time passes between configuring
an SSL connection to use a particular session and actually using it.

If tickets rotate too fast, busy Postfix SMTP clients will frequently
end up with stale tickets, and will fail resumption much of the time.

The server accepts reuse, and defaults to assuming that the client is
willing to reuse.

If the extension provides a tiny bit more signalling at no cost to
applications that have no use for reuse, then I'll be able to also
support clients that explicitly signal non-reuse (e.g. MUAs talking
to a service that is both MSA and SMTP relay).

> Thus a database that is basically append only, with clients that look
> for newest ticket (and disregard races on this lookup) and a
> garbage-collection process that removes old tickets every few hours
> will work ok.

There is indeed a GC process, but we're using off-the-shelf indexed
file dabases (Berkeley DB or LMDB), which are not append only.  And
in any case, this is rather tangential.

The real issue is that I'd like to offer clients that don't reuse a
fresh ticket, but allow clients that do reuse to continue to do that.

Anyway, I wanted to avoid TL;DR, and just present an argument based
largely on:

    - No actual complexity to those that don't ever want reuse
    - Pontential savings to those who for some reason do reuse.

That really ought to be enough, given that ignoring the reuse
case and always issuign a ticket is *free*:

    /* Hande non-use, ignore reuse, and impose local limit */
    if (ticknum == 0) ticknum = 1;
    else if (ticknum == 255) ticknum = 0;
    else if (ticknum > ticklimit) ticknum = ticklimit;

    /* now proceed as in previously solved problem */

  v.s. extension as-is:

    /* Impose local limit */
    if (ticknum > ticklimit) ticknum = ticklimit;

That's a totally trivial change that yields status-quo, but allows other
implementations to do something more intelligent with "ticknum == 0".

-- 
    Viktor.

[TLS] WGLC for draft-ietf-tls-ticketrequests Sean Turner
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Jeremy Harris
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Sean Turner
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Stephen Farrell
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Bill Frantz
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Ben Schwartz
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Ben Schwartz
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Jeremy Harris
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni