Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Tommy Pauly <tpauly@apple.com> Fri, 31 January 2020 17:06 UTC

Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: quoted-printable
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
Date: Fri, 31 Jan 2020 09:06:12 -0800
References: <97de6364-c628-45aa-8613-ba1a32cc41b2@www.fastmail.com> <A5448AC9-6EBB-48F9-A1B0-A787FBBCFF05@akamai.com> <08A4B0CD-9903-4027-B672-E8C7AFB34B4D@akamai.com> <20200123005528.GA12073@localhost> <CAN2QdAH7t4fPgBfBSO7Ni1As2bVB9QvCw1s9j0ggqvTRUATE8A@mail.gmail.com> <20200123021455.GA73491@straasha.imrryr.org> <87427017-551e-4633-a0d3-75f378879aa9@redhat.com> <20200123124055.GF73491@straasha.imrryr.org> <CACsn0cngxBQTB+Pfw6t_+qsSFb0Kf8mV1U1J1UTsPJiUk=vg0w@mail.gmail.com> <20200123193250.GD12073@localhost> <20200123210151.GG73491@straasha.imrryr.org>
To: tls@ietf.org
In-reply-to: <20200123210151.GG73491@straasha.imrryr.org>
Message-id: <5F5F670C-A0BD-4F38-BEFF-192C171EDAC1@apple.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Hch1Zp0__1dGssf5N9hFN1VGZ_w>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
Precedence: list

First off, thanks for the lively discussion on ticket reuse! I think it's a valid use case and something that should continue to be discussed.

However, for the purposes of the WGLC for this draft, draft-ietf-tls-ticketrequests, it may be best to separate the conversation. It seems that the negotiation of ticket reuse would be best served by another document that could be adopted by the WG. The ticket request document, as it was adopted, was specifically a mechanism to request multiple tickets so as to *avoid* ticket reuse. This is stated several times in the use cases (section 2) and security considerations (section 5). While this does not preclude a future extension that negotiates ticket reuse, I believe, as an author, that enabling ticket reuse is out of scope of this particular document.

Best,
Tommy

> On Jan 23, 2020, at 1:01 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> 
> On Thu, Jan 23, 2020 at 01:32:51PM -0600, Nico Williams wrote:
> 
>> On Thu, Jan 23, 2020 at 09:43:21AM -0800, Watson Ladd wrote:
>>> Sending a new ticket doesn't force clients to store it.
>> 
>> Sure, but if the old ticket will not be accepted again then the client
>> will incur a full handshake later.  The client doesn't know if the old
>> ticket will or will not be accepted again.  Extending the protocol to
>> have the server signal that bit will require new OpenSSL extensions,
>> which is why that is not a sufficiently good response to the Postfix
>> issue.
> 
> Indeed, not storing the ticket breaks resumption.  So I always store the
> ticket (actually what OpenSSL hands me is a serializable opaque
> SSL_SESSION).  For example, when the server allows reuse, but has a
> shorter maximum ticket lifetime, its "as needed" new ticket needs to be
> stored, in order to replace a stale cached session and start using the
> fresh one.
> 
> Regardless, I also believe that not applications need or want the
> marginal privacy offered by single-use tickets (none for clients
> with stable dedicated IP addresses) and it should be possible
> in such cases (at effectively zero cost as proposed) to negotiate
> reuse in a way that allows servers to handle both types of client.
> 
> This would allow Postfix to vend single-use tickets to clients
> that request that (e.g. MUAs).  Right now the code is statically
> optimized for the MTA-to-MTA use-case.
> 
> So making reuse *negotiable* would in fact enhance privacy for MUAs on
> ephemeral IPs sending sufficiently frequent email (from behind a NAT or
> otherwise shared or changing address) to a sufficiently popular
> submission server that it is not trivial to link resumed TLS sessions to
> a given client.
> 
> -- 
>    Viktor.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

[TLS] WGLC for draft-ietf-tls-ticketrequests Sean Turner
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Jeremy Harris
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Sean Turner
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Stephen Farrell
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Bill Frantz
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Ben Schwartz
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Ben Schwartz
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Jeremy Harris
Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni