IETF Logo Mail Archive

Re: [TLS] ALPS and TLS 1.3 half-RTT data

Martin Thomson <mt@lowentropy.net> Mon, 01 February 2021 00:14 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314533A1468 for <tls@ietfa.amsl.com>; Sun, 31 Jan 2021 16:14:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=Ti0tNGt6; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=R5MLKhg9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nPHs6MuPS6RJ for <tls@ietfa.amsl.com>; Sun, 31 Jan 2021 16:14:48 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C123F3A1466 for <tls@ietf.org>; Sun, 31 Jan 2021 16:14:48 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 02DA15C005A; Sun, 31 Jan 2021 19:14:48 -0500 (EST)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Sun, 31 Jan 2021 19:14:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm1; bh=0eI8sluN69klmx5C0Jwyas2a4QkF G5eTQ0WDpXOzq/4=; b=Ti0tNGt660pMyXMPP0SqsUang7oDvTjrdxTzxELmQO72 VJaE0YylLASiOv4wJi3cweMNUFWwdcJUZWaUAveQQrQJMiC5ca9NGITZEgQcz2L5 pwRoXwq1pORj2ktsaZcZ9jDaQJx51teZTD8brlIMz31LnacqimBCcxgp6QCkOo80 ay5MrDAYcraRBq753u+xt/kINXfElIP0N5aHQcbQfkEAO0xc/Z/5CFnmNmqaryg4 oZb8IyVQ12YZydWw7BNbnBorrnkjcTD5cqyGtJ6rIz+RDTGHeE6pkfc4lMYS4wvq SilUEYUX3BcM73ByL1zYe3HyioNTXKALlQi87l389A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=0eI8sl uN69klmx5C0Jwyas2a4QkFG5eTQ0WDpXOzq/4=; b=R5MLKhg9tjNi5D8KNYwRpZ RZ/rcQRsypzj1z1ZNnTZDEUkCRd6RjvYiwJVNRQiAWtHg6Xz7oGGChyT3DavYdZv HEj+IYkoeVtneYUvENaL9jMH558ncydq9F4aXk1s8bgBE3lOeaBsOnp3IAxH+Sgj 3iIdTAgVSvjksKDmcm1v1CRXolKelpiIi15rk3Ur92ZX7QRSJ7WnQyHPvx5pNnij MDLbh9dsHlOWlQozm7TjdKwzf/htLd2laaZEGOtuYC876USxP6ba5lC8Wm0X8PP1 Bed6sqajRAndkn6MYvv9T+UR2miKtbB8OjtJUeIHaTPhJE41BcSHTxeBmUMcHQsA ==
X-ME-Sender: <xms:90cXYGPOAhEx9H-gXnY21OyqeBfjgxhvBU0JNnhZxtVDsx5B8lftVw> <xme:90cXYE_u2Ch_U_E4AuJ2JhcggPPx2-RjdAUan6ab-s0xB9ohwoWWWlNAR9OWSu-RZ 5WTBXERSo3h6k235u8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfeejgddukecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfofgrrhht ihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucggtf frrghtthgvrhhnpeekteeuieektdekleefkeevhfekffevvdevgfekgfeluefgvdejjeeg ffeigedtjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:90cXYNTJrHS-KpQRKJ7VD92clG189AddpVcCIqw6sZAH2CvFBDy6lA> <xmx:90cXYGvTORd5zSKF5yEYvEGXBPrX-uu4zZRaopt0DLhrOdRqYtVofg> <xmx:90cXYOfqeMTxAP5mx4F20wNumiEgXkunvjLGfk4vWtzU-N9hcv-bew> <xmx:90cXYGnNkVu3OSfzRxzzMWZJiLdkAVm0I2BR_nuwZOvXICKNG9jvQQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 463C64E0065; Sun, 31 Jan 2021 19:14:47 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-84-gfc141fe8b8-fm-20210125.001-gfc141fe8
Mime-Version: 1.0
Message-Id: <b684e5ee-a0c1-4454-b6ec-93abd1e201c5@www.fastmail.com>
In-Reply-To: <CAF8qwaChpjxhBtR9az0C58Qwscv5YM=PPcV3XDYb=1je2j4bdg@mail.gmail.com>
References: <160703055132.9234.3055845983488231389@ietfa.amsl.com> <CAF8qwaAUE4H2-JxCyQJSWW680=Xp9pkUOQdOQpbLhd-HjYaVcA@mail.gmail.com> <CAH_hAJGfKcDCLA7T_AnXHEK7Y4Qw814mkQcRNq-szF3-83L3Ag@mail.gmail.com> <CAAZdMafs-3xH8ZHaOfC9TZzj-qbfeg8H7b_FLOvkT4XZqChFvQ@mail.gmail.com> <CAH_hAJFZ-Gryiq-hKyX0U0SA96fU1t_eTZEdCEA_E2nRDwwkEA@mail.gmail.com> <CAH_hAJHqQw564VKMRjQTD1a0HXqz907BtO=F_FJ0aiXgHV_J9A@mail.gmail.com> <CAF8qwaChpjxhBtR9az0C58Qwscv5YM=PPcV3XDYb=1je2j4bdg@mail.gmail.com>
Date: Mon, 01 Feb 2021 11:14:28 +1100
From: Martin Thomson <mt@lowentropy.net>
To: David Benjamin <davidben@chromium.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ILbwiGAPxWuAfrhRFjvqkMLXR80>
Subject: Re: [TLS] ALPS and TLS 1.3 half-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 00:14:50 -0000

On Sat, Jan 30, 2021, at 10:38, David Benjamin wrote:
> How does NSS expose the late client authentication to the application? 
> I thought NSS didn't support half-RTT at all when the server requests 
> client certificates, but perhaps I misunderstood.

There are three states we use with respect to client authentication; those guide what might be done:

1. No CertificateRequest (0.5-RTT is therefore always safe to send)
2. Request a client certificate, but don't require it (positions differ here)
3. Require a client certificate (0.5-RTT is arguably unsafe to send, unless you can be sure it is not conditional on client authentication)

I originally decided to allow 0.5-RTT in cases 1 and 2.  My logic was that a server in that posture always needed to check for a certificate before sending anything.  That is, the server was already in the appropriate posture and enabling 0.5-RTT could not make things worse.  However, Ekr was unhappy with that idea and I decided not to fight it (that doesn't make him any more right, but he was definitely right to insist on stronger justification; I just didn't have the energy to provide that justification, more so because we don't really make a server and all I really wanted to know was that we correctly handled 0.5-RTT at the client).

Back to the main subject...

On reflection, the buffering thing was a false trail.  The reason we have buffering for 0-RTT is primarily because that is followed by handshake-critical data.  We have to clear 0-RTT aside to get to handshake data, because there is a risk that it fills the congestion window and prevents the Finished from ever being sent.  Unless you support blocking writes that also block reads, I don't believe that 0.5-RTT has the same problem.

For me, this whole question is down to imposing constraints on usage.  We have this artificial constraint that says an extension or handshake message (like ALPS) can't contain anything that is conditioned on application data.  That is a useful constraint, because it makes the handshake easier to reason about.  But the same constraint can be applied to 0.5-RTT if we chose, making all versions of it safe to use in the same way (even case 3 above).

At that point, the question becomes whether you think that covering this data with the handshake transcript is worth the head-of-line blocking exposure.  (And other miscellany, I guess, like what your priors are regarding adding more extension points.)

v2.23.0 | Report a Bug | By Email