[TLS] Distinguishing between external/resumption PSKs

"Owen Friel (ofriel)" <ofriel@cisco.com> Thu, 19 September 2019 10:52 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 433F3120164 for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 03:52:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=cAvK2VGC; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=gIAMmst8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y11t8G7izP2q for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 03:52:14 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1248312006D for <tls@ietf.org>; Thu, 19 Sep 2019 03:52:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1289; q=dns/txt; s=iport; t=1568890334; x=1570099934; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=rRRaL32dBpv4iib+zKzzUUBBipBrgD8dOaMstF37YQg=; b=cAvK2VGCFtbklqkNw0IeKoTvf1/2CbJYjz5FX57X2IP9FaD2mifvFDdi q3KBoLwPENQVDSi/baLFz+X6W0CyrqDRGci4UkgUyYsbIO/HBnYjzzF/k qOCAgxnEdRf2fxkCmKYg0KaPt6r/zIKAZGnxlutUuINktfXPUpACy1aDB o=;
IronPort-PHdr: =?us-ascii?q?9a23=3AmsI/Nxdwjl2ReyPLrVDw3RgllGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwKYD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFn?= =?us-ascii?q?pnwd4TgxRmBceEDUPhK/u/aCIgHclGfFRk5Hq8d0NSHZW2ag=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AwAQD2XINd/4ENJK1cCRsBAQEBAwE?= =?us-ascii?q?BAQcDAQEBgVYDAQEBCwGBRFADbVYgBAsqh2kDintNgg+Xc4JSA1QJAQEBDAE?= =?us-ascii?q?BJQgCAQGEPwKDAyM3Bg4CAwkBAQQBAQECAQUEbYUtDIVKAQEXKAYBATgLBgE?= =?us-ascii?q?WAwQBAR9CHQkBBAESCBqDAYFqAx0BDqJ9AoE4iGGCJYJ9AQEFhQ0YghcDBoE?= =?us-ascii?q?0AYwIGIFAP4FXhWsBAQIBgTQUBhKDO4ImrQoKgiKHBYUUiQqZI44WiBGRAAI?= =?us-ascii?q?EAgQFAg4BAQWBaCKBWHAVgydQEBSBToNyhRSFP3OBKY9NAQE?=
X-IronPort-AV: E=Sophos;i="5.64,523,1559520000"; d="scan'208";a="329071730"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Sep 2019 10:52:13 +0000
Received: from xch-rcd-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x8JAqDuq024958 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Sep 2019 10:52:13 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-011.cisco.com (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Sep 2019 05:52:12 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Sep 2019 05:52:11 -0500
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 19 Sep 2019 06:52:11 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jdZ1iSvWUhMOCbQ4y9Q1aymE92+iLG6ty7Rqy0lRvwUPYGNdwNwehR0gw0xzzz2eR5f+Jyw0khYnXwN/DHtBRPhtKf7k/bDkDMiG6dxOjX+OKGKvYeu+QA1gk1U2pJ46k7UGx5lUSkJz14iVMK+Pz26ZJlMm5o1seeEgv9qmnsmhvkDnRB9nyZIIIDDt2YSawflGYWP0GDbTcXEyYU+WbShA5zRN9UL2D63toJxMnyIGnEACAtfC5Libw4JwaC96G5f9fAwAnf+nh7ubnmp+/czC1XKPL/3HiutpO/YJmzeiTgFGrvo84iFfepESEzBNKVwbdbEeOtNV4a4lUogBcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jtfGzgTRxag1IoSby+e2DlNjygjONFOflH1Ozjl5LGs=; b=XiO5XfnKhIc/drnd/g0cHleHgeff9cum3vX+ZfHph8hB3Oi4z7CufOSgSzVw2SUb37K126dOspWSXoCFWPyZyrIBb2Tt2gsISjpHAmcSdSrCwnJcN2mzbXsd1MLHWBSCYqdraw6Fm58uTBWj+K/+pt1Q9GhbwjzHJ9l6YQ2QQBI/ICQHLU/1sgGHkz+wMGYEOetvmvL1L5keFjZnE1II9zILf6CEnCt3H+ipsXsAfuCJLWxoQtbaTLKcm+3nlKA4fsKfSJoJaHlcrHOFDkZ9UtwhK7uql6Qdw5OBLJejF/pl0Sdb29AjkB3IcLaA0yMB9Poe85upJnfDFh+J6HKsBQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jtfGzgTRxag1IoSby+e2DlNjygjONFOflH1Ozjl5LGs=; b=gIAMmst80qBagqhsVNfubTU0C8zDSZcjDyu/EhlRJVr1g8lP3luYyGGsz0XXkM8Q2ld6/AFj+UTfCFvoMftvaqIon3EX0xGbse9Wk8Uh32wzE4r0bUZS+zcJxsBM94m3sLekk7iAaPjR2bp9N5fMbUD0vaLYhcHyjymR2YYGb5I=
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com (10.172.76.13) by CY4PR1101MB2102.namprd11.prod.outlook.com (10.172.79.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.20; Thu, 19 Sep 2019 10:52:09 +0000
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::686a:2f6e:32c2:5127]) by CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::686a:2f6e:32c2:5127%9]) with mapi id 15.20.2263.023; Thu, 19 Sep 2019 10:52:09 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Distinguishing between external/resumption PSKs
Thread-Index: AdVu2EcOhu/1f/3HRzaHS0CqIUTzpg==
Date: Thu, 19 Sep 2019 10:52:09 +0000
Message-ID: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:4041:1250:a8b9:6c1c:9fd6:400]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4895338c-75d1-4485-fc7e-08d73cef6bab
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:CY4PR1101MB2102;
x-ms-traffictypediagnostic: CY4PR1101MB2102:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <CY4PR1101MB2102923230D18ABEDA862E8CDB890@CY4PR1101MB2102.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 016572D96D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(346002)(366004)(39860400002)(376002)(13464003)(189003)(199004)(486006)(316002)(25786009)(86362001)(74316002)(6306002)(5660300002)(6506007)(99286004)(9686003)(7736002)(33656002)(476003)(55016002)(305945005)(110136005)(7696005)(2501003)(76116006)(81166006)(52536014)(256004)(102836004)(14444005)(8676002)(3480700005)(66476007)(66556008)(64756008)(2906002)(53546011)(66446008)(66946007)(46003)(81156014)(71200400001)(6116002)(186003)(478600001)(71190400001)(8936002)(6436002)(14454004)(966005); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2102; H:CY4PR1101MB2278.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PVlkgwmPOGKko6OgH5qaxeeM61Y86osuVsY2BUdtGGZ/GfJh/obKPlaHgAacv20RFytk+7L529xWqX6R4xMTdfNs8aQH8FkTPgEPbAusyAxmZiXy5eM4elztc067QSPiYosLJUHYw99/sAO6HEkRg96+OFUw1dt1astKGabTOM2ni5CBeqY8UZtt8nAlVri1xd3MsQ38w1QIeI04RTNMA97LWN5u3qSjECfpRm0e4rzMlL65ypxlP1LOh9zxNDNIt5WGNj4GB/Rb59tpHWbuyqFrI5IVi/r7zuzbMzrTthFc0x0KEf0+SyFVqIoKWLJ6j2GqokS2mIJN3fe3zkUHGqQV3Qi49JzJYugOPvq2o3W5HuPTMR6QmIfmmPlHg8kdTT6FFfdwGszOs/s7RpOO5Fw1D1fSe1a2n0y63ffiE5g=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4895338c-75d1-4485-fc7e-08d73cef6bab
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2019 10:52:09.6158 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Wqlxa4jp/MzyoYm4ozwU6bXnUn0VeYTdaRyIV7Xb/k5BXjqOvydeMHdkckbn8tIoSBEZ7cPH2sq6F9YtkD7+cQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2102
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.21, xch-rcd-011.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/I7e8dXSz5QaK24NsTdjVaglfN54>
Subject: [TLS] Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 10:52:17 -0000

> -----Original Message-----
> From: TLS <tls-bounces@ietf.org>; On Behalf Of Martin Thomson
> Sent: 04 September 2019 02:46
> To: tls@ietf.org
> Subject: Re: [TLS] Binder key labels for imported PSKs
> 
> 
> When we built the ext/res distinction, there was a clear problem expressed.
> We had the potential for both to be used by the same servers at the same
> time (though not for the same connection) and distinguishing between them
> was important

Martin, maybe I am missing something in the threads on this. Is there anything explicit planned in ClientHello PreSharedKeyExtension or PskKeyExchangeModes to explicitly distinguish between ext/res PSKs? Or is it up to server implementation and how the server handles the opaque PskIdentity.identity? e.g. ImportedIdentity.external_identity fields could be stored in one DB table, and (ignoring https://tools.ietf.org/html/draft-ietf-tls-external-psk-importer-00#section-9 for now) the server on receipt of a ClientHello searches for PskIdentity.identity in its ImportedIdentity.external_identity  table and if that lookup fails, then try to parse PskIdentity.identity  as a NewSessionTicket.ticket? And the order of those two operations is of course implementation specific too.