Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
Stephen Checkoway <s@pahtak.org> Mon, 24 February 2014 13:01 UTC
Return-Path: <s@pahtak.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12CCF1A0862 for <tls@ietfa.amsl.com>; Mon, 24 Feb 2014 05:01:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1LVcXy_zl5tL for <tls@ietfa.amsl.com>; Mon, 24 Feb 2014 05:01:23 -0800 (PST)
Received: from mail-qa0-f50.google.com (mail-qa0-f50.google.com [209.85.216.50]) by ietfa.amsl.com (Postfix) with ESMTP id 061F51A0457 for <tls@ietf.org>; Mon, 24 Feb 2014 05:01:22 -0800 (PST)
Received: by mail-qa0-f50.google.com with SMTP id cm18so5938992qab.23 for <tls@ietf.org>; Mon, 24 Feb 2014 05:01:21 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=IpChpyhI1rJnVBUbXkxVXQnLkdq3qJ5Z0URNJO7y04Y=; b=JXTvI4njrhQ6h2Q7A71FQm6TbsWEZC4x7jiRvA+j+y9m4kvHzQwaAOJF1v3IFUIBi4 pQfGrJ/q81RN3MmKG1GG9Vx60R2NnsgXTvjhVwG9IjcaQD6MT9csgcnf9k/DEdw+A97E w7Vq1LldzF5ik3IZhM6lmqqPVteVBFmUU0PE3NQWU0yLO0biur36CYQI5r9f4W16y5To tv4Iq8DlfOkqH8GCAEl5Bue5LZNoTeaDQdPBkK5a+p1jRVK/5Fjr38ZbnoYo1XLwv/wf xvhIZzNKYlFiveESf+S2jhitVb5ParheCc+/iIKjUBnya2joxrJoIlHqtz5sn8M0h+Yt oayw==
X-Gm-Message-State: ALoCoQlc/SR03Mf8M0scO2ZSLaJH5Pipmasg1dnL3bgtrfS0iAkUWa3rivBrDbTe8l1pCvk3MRMK
X-Received: by 10.140.25.142 with SMTP id 14mr27735121qgt.83.1393246881730; Mon, 24 Feb 2014 05:01:21 -0800 (PST)
Received: from zbox.pahtak.org (c-68-48-196-126.hsd1.md.comcast.net. [68.48.196.126]) by mx.google.com with ESMTPSA id 110sm25253094qgv.19.2014.02.24.05.01.20 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Feb 2014 05:01:20 -0800 (PST)
Received: from [10.0.1.4] (ip-210-102.oberlin.net [208.66.210.102]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by zbox.pahtak.org (Postfix) with ESMTPSA id 18FEDAC28E5; Mon, 24 Feb 2014 08:01:18 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Stephen Checkoway <s@pahtak.org>
In-Reply-To: <CACsn0ckGe+V5chHjvcw+ZYQk7EBFF3_fSVuqJjpNZop-1bOfQA@mail.gmail.com>
Date: Mon, 24 Feb 2014 08:01:18 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <06D16886-A6B7-44D3-B8AC-FD4A46CE467C@pahtak.org>
References: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com> <CACsn0cmZBzrvek_hKTY1Tm-+Win6UOM4paEzJ67JRrk2OZvH7A@mail.gmail.com> <CABcZeBP6miqX3XY=CQfshwfAKoeQRrr5ABhBDa3z+z9hwaYeig@mail.gmail.com> <CACsn0cnpT-UGR_EMupmv68uXCXGS3Qn0CUBY=6jDgaeoi2cVhQ@mail.gmail.com> <4156173A-B7FC-4841-8733-D39009A88BDF@pahtak.org> <CACsn0ckGe+V5chHjvcw+ZYQk7EBFF3_fSVuqJjpNZop-1bOfQA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.1827)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/JkrxIIjqoo2sNvN0KCuuIudCYFk
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2014 13:01:25 -0000
On Feb 23, 2014, at 8:31 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Sun, Feb 23, 2014 at 5:20 PM, Stephen Checkoway <s@pahtak.org> wrote: >> Hi Watson, >> >> On Feb 23, 2014, at 7:41 PM, Watson Ladd <watsonbladd@gmail.com> wrote: >> >>> Easy solution: limit the options so that there is one acceptable >>> choice, >> >> As much as this appeals to me, this route seems unlikely to be adopted since what's acceptable to you or me is probably not acceptable to everyone. >> >>> with a means to negotiate a future one when that one >>> acceptable choice falls. >> >> It seems likely that this will because the default method and I'm not sure how this is simpler than offering options initially. > > Does anyone have a problem with P256 or Curve25519 with some fallback > option TBD? I don't have a problem with either but, again, that doesn't say anything about everyone else. >>> I'm proposing that we secure the key we are sending SNI data to with >>> some certificate >> >> I'm not sure I'm following you here. As I understand it, the whole issue is that with SNI the server doesn't know which cert to use until after it sees the SNI. Are you proposing that there is some master cert which secures the key used for SNI data and then a separate cert for the given server name? > > In the SNI case the server has a great number of certificates to pick > from, and doesn't know which one to use. My suggestion is that they > use on initially, and if informed they messed up, use that one. So say the server picks the wrong one. This reveals a different server name to the client. This would seem to be an issue if the various names the server is willing to use are private for some reason. With the wrong one chosen, the client has three options: (1) send the SNI in the clear to the server; (2) use the unauthenticated server parameters to establish a key and send the SNI encrypted under that key; or (3) say "nope, pick a different cert and try again." (1) is essentially what we have today but with more overhead; (2) is essentially the proposed mechanism except that it has more overhead and exposes the server name of the incorrectly chosen cert; and (3) could take a significant number of round trips to get the right cert and also enables a client to enumerate all supported server names. None of these seem better so I've probably misunderstood what you're actually proposing. -- Stephen Checkoway
- [TLS] New draft: draft-rescorla-tls13-new-flows-01 Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Kurt Roeckx
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Martin Thomson
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Kurt Roeckx
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Nikos Mavrogiannopoulos
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Tom Ritter
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Tom Ritter
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Hovav Shacham
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Stephen Checkoway
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Stephen Checkoway