IETF Logo Mail Archive

Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?

Dave Garrett <davemgarrett@gmail.com> Fri, 19 February 2016 05:44 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23E4D1A908B for <tls@ietfa.amsl.com>; Thu, 18 Feb 2016 21:44:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4aSh0Bfyfykh for <tls@ietfa.amsl.com>; Thu, 18 Feb 2016 21:44:25 -0800 (PST)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 899A81A8FD6 for <tls@ietf.org>; Thu, 18 Feb 2016 21:44:25 -0800 (PST)
Received: by mail-yk0-x22f.google.com with SMTP id u9so30965859ykd.1 for <tls@ietf.org>; Thu, 18 Feb 2016 21:44:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=fG4EoT4u/h5o6bbTKBErOadFFiJn7MrDhpPcMUdxjdY=; b=vs1wjDybk4ZwBUmEs+fjqaXHQi6MYa+fo4zeZ80PelURPVsHM95GvresPzjdXm09x1 +lRv/ittGj4e9QDMpb5zR7Bg+NQBG183jCpKB7Sa/MQGteKCU5EVsFOPOTrh/gdfMTA6 oU9AJ6W7bBLu4Caw5CXpAn7qJWl/sxf8w7CMrwjH1Crpeac9qB6KJ+MDV5GQuwW2HNWA QZlsW4PrdkhVHLZoOxZx1jOcwhLqcL26DeNEUmiwLSB1PX7Wg+Xm2C6O3hC68Dd1gJki OyutoMOiCi9ixlDvPnb5v7Tq7pYSL1gcJiD1xMERQjcQ3DMhsf/WMRGjmtKAq6uXpvEN izJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=fG4EoT4u/h5o6bbTKBErOadFFiJn7MrDhpPcMUdxjdY=; b=DhNkFVEMG4j2Awb0BXYJHvOBXQFkBx1CH969M/UKiz4CRc3bNqzXxHTYL9lB7PQkY2 A+vZmGx2i+BtPkzYXM6iu2fQklLwLJ5tE37dFzp1YveFv5jlBU5LFXBst4i17MI8ydXg ecYWcOh3ro6cYg3QgXr7fI61SOLLw12RlxlPTnl5eMc3C9tMuKPONKef8sd3I59hYV2Z PuIpXYnyl5M77ZBH5izwfG422DcoqHDHT/9TkCA4mpuoBrq2sqefv+QC1uCzTZbwWqNJ cvHweZkVcUtvGwnLOE92Rcf+D/0DxaI1vQNcihTt4sFSrpb0DgbUNYZ1gqXlRyhRLtOn VM5g==
X-Gm-Message-State: AG10YOSvodS0Xa4jlL2W98kLcJjQZXieiFfawVY8h4yATMMKixdQw9XXnXgLaJodVy9ZAg==
X-Received: by 10.37.94.215 with SMTP id s206mr95606ybb.119.1455860664824; Thu, 18 Feb 2016 21:44:24 -0800 (PST)
Received: from dave-laptop.localnet (pool-71-175-20-227.phlapa.fios.verizon.net. [71.175.20.227]) by smtp.gmail.com with ESMTPSA id i142sm7508681ywg.12.2016.02.18.21.44.24 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 18 Feb 2016 21:44:24 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 19 Feb 2016 00:44:22 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com>
In-Reply-To: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201602190044.23065.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/FcwNV9vxwh18gU27h-WGP1COllk>
Subject: Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 05:44:27 -0000

On Thursday, February 18, 2016 08:04:05 pm Eric Rescorla wrote:
> PUBLISHED CONFIGURATIONS
> The semi-static mode in principle allows the server to publish its
> configuration (i.e., it's semi-static key), e.g., via DNS, which the
> client can then use for 0-RTT handshakes on first contact. However,
> recent conversations (especially with the guys from Cloudflare) have
> convinced me that this probably isn't useful: DNS TXT record
> penetration rates are really bad and all the other proposed mechanisms
> are also pretty problematic. For the few protocols where I was
> thinking that this sort of priming was attractive, it turns out not to
> work well or to have other easier workarounds.
> 
> WHAT ARE THE OPTIONS
> 1. Simply leave things as-is.

Nobody has enough of a reason to have support for DNS records that can do this, yet. Adding it here could change the situation over time.

More importantly, some major sites/services might even want to just cut out the middle-ware and dump 0RTT configs into a client synced list of some sort, akin to how some handle HPKP. Not the most elegant of systems, but it would let clients that use such a list have out-of-the-box 0RTT to major high-traffic sites. Ad hoc systems would also be able to preload for 0RTT for their services easily (e.g. make an app & include 0RTT config cache with it).

Even for clients merely getting their config via a first connection, we might be more likely to be able to cache for DHE safely longer than just for PSK for every client.

I think it's a feature worth keeping.


Dave

v2.23.0 | Report a Bug | By Email