IETF Logo Mail Archive

Re: [TLS] 0-RTT, server Application Data, and client Finished

David Benjamin <davidben@chromium.org> Fri, 29 January 2016 19:56 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59DDA1B32AB for <tls@ietfa.amsl.com>; Fri, 29 Jan 2016 11:56:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vjgdLmmc7Rua for <tls@ietfa.amsl.com>; Fri, 29 Jan 2016 11:56:04 -0800 (PST)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC341B32AA for <tls@ietf.org>; Fri, 29 Jan 2016 11:56:04 -0800 (PST)
Received: by mail-io0-x22f.google.com with SMTP id g73so101479121ioe.3 for <tls@ietf.org>; Fri, 29 Jan 2016 11:56:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=UWqi2ZWA4iQo7MaL8XuR0vD36q6sW92DGu6hC4Ff3m0=; b=lv/apkjC3UWE87HyQw48DMTtkMa9sXUJy0JVhFJxL/IwZMbjf2hnTYZj4t0f6S7Xn3 ZNBRQn3P0KCmSP1UfcDjKw3rPFkZrRHToOE9h07HlWK5kpkLKb+vP6DQQ/NGOhVIwjoV MhFArNDiEdAudGJ6y/7UDcxBd6FN2X9Eo34P0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=UWqi2ZWA4iQo7MaL8XuR0vD36q6sW92DGu6hC4Ff3m0=; b=iy4AEOMrVM2ryNm7WFjPQd3KjI69mnKchMJe53aHWFMbuMcLhIVxpPGIc31+nSQMZs yN+ZSyd4zdz7lfadFqb0HtHPUDHWE98cxmL2pZVKbL3b0XvSPPTCAGsWPTVXMnNzF391 qsbewoeJqjfOudsvNREWuoTHMLZgvIR0MRCGzwwN/SX+qZa00GtAIYa9V5BE8mjTDNKH 2dGjIxm8isu0kjvWWOKoice8KgKp5Y104hskb+TLsCLIg69EIM0CqQz0/loDI92J+w9Z mRuUUV+a+omIhqFl9/810UJF0jUhPZE34oEA0ipfFx0wfvCIdCRk+DpafIklmfcTA2K9 aiNg==
X-Gm-Message-State: AG10YOTRqMpZHy4sCGdBc2jLG6NEaRr2qd+IUJZccDgXna60fWKNsIlTTbIEwxnDKwWsx8W7vuBh4Tqxo0AFNBlK
X-Received: by 10.107.136.200 with SMTP id s69mr602338ioi.120.1454097363629; Fri, 29 Jan 2016 11:56:03 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaCty7qjJGobr+god_TDo+q82hZx2FpOitLQ0ANctWBZ0g@mail.gmail.com> <CABkgnnXD5ZudUW7d2uQSSo1ULeOgxD97H5Sd0ZN3MXy9X6+4qA@mail.gmail.com> <CAF8qwaCq7LzXp+5ULWYakLXar3_J1QmerfC7EpqHg1TXgxeu5A@mail.gmail.com> <CABkgnnWQT9WDQDJ9EW21STgr_7j4VFqCh4mWS=1Ko7o=sAyXkQ@mail.gmail.com> <CAF8qwaCAbYsQhq-VL=ktfvDLR+1y6TCkFZ7VhmVKNCVUroOJNQ@mail.gmail.com> <CABkgnnUSg1ah9pMRVrDq5SUvkH79aKQXVzW_KNN+SO+DSHoUmw@mail.gmail.com> <CAF8qwaB+zB2=rCdNP22vCM9ZjCEXyeNP4x5=jKK1_gq0F=2yiw@mail.gmail.com> <20160127194416.GA10603@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaB_nKF=YxT-ZRK6D0Pv_wGRhVjHZ-5eDguGh_1JABz4pA@mail.gmail.com> <20160128190909.GA11429@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20160128190909.GA11429@LK-Perkele-V2.elisa-laajakaista.fi>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 29 Jan 2016 19:55:53 +0000
Message-ID: <CAF8qwaA_6Eja2deOxGjNuz+uxJL=ruBqV3-ffCrKZV5VKADKXQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a113eccdad4347d052a7e6ce8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/I4yB_bbc83o4ebKD0XMtLiDRL3k>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT, server Application Data, and client Finished
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 19:56:06 -0000

On Thu, Jan 28, 2016 at 2:09 PM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Thu, Jan 28, 2016 at 05:36:22PM +0000, David Benjamin wrote:
> > On Wed, Jan 27, 2016 at 2:44 PM Ilari Liusvaara <
> ilariliusvaara@welho.com>
> > wrote:
> >
> > > On Wed, Jan 27, 2016 at 07:28:47PM +0000, David Benjamin wrote:
> > > > On Tue, Jan 26, 2016 at 10:32 PM Martin Thomson <
> > > martin.thomson@gmail.com>
> > >
> > > I don't think the two situations have the same problems:
> > > - "Server 0-RTT" has _recipient_ identity change.
> > > - "Dynamic reauth" has _sender_ identity change.
> > >
> > > You have more concrete examples of things going wrong with "server
> > > 0-RTT"? Because I have major problems coming up with troublesome
> > > cases.
> >
> >
> > The client also has some 0-RTT data which, in the server 0-RTT case, the
> > server reports was accepted and processed. That all is associated with
> the
> > first identity rather than the second. So I believe we have sender
> identity
> > change in both cases.
>
> The 0-RTT being sent under different identity than the application data
> does involve sending identity change, but what does it have to do with
> "server 0-RTT"? The client could do that (and run into trouble with
> badly designed protocols) without "server 0-RTT".
>

Perhaps I misunderstood you. I read "dynamic reauth" in your message above
as the post-handshake auth mechanism. You said that "server 0-RTT" has
recipient identity change and "dynamic reauth" has sender identity change.
My claim is that "server 0-RTT" also has sender identity change, since that
seemed to be the question you were asking. Did you mean something else?

Yes, by forbidding CertificateRequest on 0-RTT hit, we are not removing
anything post-handshake auth can't do. That's largely my point. It is
identical in both how it works in good or bad) and how early each message
arrives (see https://www.ietf.org/mail-archive/web/tls/current/msg19159.html
for
comparison).

I hope the more reasonable protocols without legacy burdens will declare
that post-handshake auth is forbidden and only allow initial-handshake
client auth or none at all, as SPDY and HTTP/2[*] did to renego in TLS 1.2.
Yet it's not obvious CertificateRequest on a 0-RTT hit is equivalent to
post-handshake auth and should be allowed or forbidden together.

Also, although servers can choose never to do this, clients that implement
post-handshake auth (like HTTP apparently) can't. This figures into the
client API the TLS stack exposes. Despite being in the handshake, this flow
should be exposed via post-handshake auth's API. This is weird, but
handshake-negotiated properties otherwise have nice assumptions like being
constant throughout the connection, should the client's stream depend on
it. Consider ALPN. If a server wishes to pick a different ALPN value from
the 0-RTT-predicted one, it must reject 0-RTT because that data's wrong
anyway. I think the same should be true of in-handshake client auth.

Since there is zero benefit to a using this handshake flow over already
existing alternative (this handshake flow is not an optimization), I don't
see how it can be worth this (or any) complexity.

David

[*] Sadly, HTTP's legacy burdens caught up to us. Although I see
draft-thomson-http2-client-certs-01 has picked up again, so maybe HTTP/2
won't use post-handshake auth? Doesn't matter; new multiplexed protocol
without such legacy would best forbid post-handshake auth.

v2.23.0 | Report a Bug | By Email