Re: [TLS] #445: Enhanced New Session Ticket
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 29 April 2016 17:46 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2444812D6BA for <tls@ietfa.amsl.com>; Fri, 29 Apr 2016 10:46:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W5LEhsgg9h6u for <tls@ietfa.amsl.com>; Fri, 29 Apr 2016 10:46:49 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 958B212D185 for <tls@ietf.org>; Fri, 29 Apr 2016 10:46:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id AF0715D3A; Fri, 29 Apr 2016 20:46:47 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id 4sXUcg8pfeoe; Fri, 29 Apr 2016 20:46:47 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-143-35.bb.dnainternet.fi [87.100.143.35]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 500212313; Fri, 29 Apr 2016 20:46:47 +0300 (EEST)
Date: Fri, 29 Apr 2016 20:46:43 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20160429174643.GA17765@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com> <20160428214046.GB16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBMFg4iC-EN9DocqTpmjp46EYrTBdfi-G5nNMKN_xiHxVA@mail.gmail.com> <20160429055831.GA16405@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnUFn_UrUFro-yLmn9wf7YkTpRf8anm7LK-bKgYBBkUVNg@mail.gmail.com> <20160429153831.GA16797@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO-C5+93b5qax0wCaUhrKgjVeziphHbQse7NuBCwhdSgA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBO-C5+93b5qax0wCaUhrKgjVeziphHbQse7NuBCwhdSgA@mail.gmail.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/J63v6lMrUokhHRVvN9X3dNxs42w>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2016 17:46:51 -0000
On Fri, Apr 29, 2016 at 09:16:07AM -0700, Eric Rescorla wrote: > On Fri, Apr 29, 2016 at 8:38 AM, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > On Fri, Apr 29, 2016 at 04:52:08PM +1000, Martin Thomson wrote: > > > On 29 April 2016 at 15:58, Ilari Liusvaara <ilariliusvaara@welho.com> > > wrote: > > > > EDI looks like rather sizable structure currently (even after compressing > > the configuration_id by obvious means). > > > > Are you looking at a different document than I am: EDI currently is: > > struct { > select (Role) { > case client: > opaque context<0..255>; > > case server: > struct {}; > } > } EarlyDataIndication; > > And the context is basically a placeholder. Ah, I didn't see a PR about it and then looked at Editor's Copy. Clearly a different document. > > >> [extension checking on resumption] > > > > > > > > So the 'etc' stands for "whatever will be defined by future > > extensions"? > > > > One might want to make that clearer. > > > > > > > > Also, things get screwy with SNI, and I think it is better not to try > > to > > > > use SNI with PSK. > > > > > > The primary function of SNI is routing. Remove it and stuff breaks. > > > Thus, I would say include it, but make sure it doesn't result in a > > > change in configuration. The simplest thing to do is reject PSK if > > > the old SNI != the new SNI. > > > > That kind of non-obvious stuff really needs to be included. > > > > They way it is right now written, I think very few TLS stacks are going > > to get it right. > > > > Proposed text would be welcome here. Well, the more I think about this, the messier things about interaction between SNI, "static" PSKs and "dynamic" PSKs seem to be... And unlike ALPN, where problems only appear in context of 0-RTT, now you also get the issues without 0-RTT: > > > I mean for the subsequent handshake. Since 0-RTT ALPN and connection > > > > ALPN needs to match, either: > > > > > > > > 1) Take the 0-RTT ALPN implicitly as connection ALPN. > > > > 2) Signal the same ALPN again, and have that client MUST check it > > matches > > > > and abort otherwise. > > > > > > I believe that we have to do the latter. Since we can't be sure that > > > the server knows the ALPN from before if it has to reject 0-RTT. My > > > plan for this is: > > > > > > 1. store ALPN in the ticket/session > > > 2. if doing 0-RTT, before accepting 0-RTT data, perform the normal > > > ALPN negotiation > > > 3. check the negotiated ALPN with the stored value, and if they don't > > > match reject the 0-RTT data > > > > 4. If 0-RTT is accepted, client checks the ALPN server sent and > > compares it with value it impiled. If those don't match, the client > > MUST abort. > > > > > > 1) would be: > > > > 1. store ALPN in the ticket/session > > 2. if doing 0-RTT, before accepting 0-RTT data, check if the 0-RTT > > ALPN is acceptable. If it isn't, reject 0-RTT. > > 3. If 0-RTT was rejected, select new ALPN, signal it in Encrypted > > Extensions. > > > > That would make ALPN and EDI mutually exclusive in EncryptedExtensions. > > > > This doesn't seem awesome from the client's perspective. I'm trying to make > the ordinary PSK-resumption design less of a special case. Well, the client needs to keep track of the ALP anyway. If for nothing else, to check that the server isn't trying to do anything crazy. I think it is easier for the client just to imply the ALP in presence of accepted 0-RTT. -Ilari
- [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara