Re: [TLS] Comments on EndOfEarlyData
Britta Hale <britta.hale@ntnu.no> Tue, 16 May 2017 21:14 UTC
Return-Path: <britta.hale@ntnu.no>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD4CC129B07 for <tls@ietfa.amsl.com>; Tue, 16 May 2017 14:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.303
X-Spam-Level:
X-Spam-Status: No, score=-2.303 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-rG7DZIieAp for <tls@ietfa.amsl.com>; Tue, 16 May 2017 14:14:54 -0700 (PDT)
Received: from samson.item.ntnu.no (samson.item.ntnu.no [129.241.200.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 129FB1294B8 for <tls@ietf.org>; Tue, 16 May 2017 14:10:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by samson.item.ntnu.no (Postfix) with ESMTP id E4BEF480089; Tue, 16 May 2017 23:10:09 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at item.ntnu.no
Received: from samson.item.ntnu.no ([127.0.0.1]) by localhost (samson.item.ntnu.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzRL32u-H_-A; Tue, 16 May 2017 23:10:09 +0200 (CEST)
Received: from [192.168.1.168] (84-52-238.131.3p.ntebredband.no [84.52.238.131]) by samson.item.ntnu.no (Postfix) with ESMTPSA id 49876480087; Tue, 16 May 2017 23:10:09 +0200 (CEST)
To: Eric Rescorla <ekr@rtfm.com>
References: <66025639-5ceb-021a-61c4-60620c402a6c@ntnu.no> <CABcZeBMu=9KPvmz-sDknXpa4Vjer=md=ZqsFqGd6WNEFdAxSdg@mail.gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
From: Britta Hale <britta.hale@ntnu.no>
Message-ID: <1f7c62a1-db73-aeae-97d0-77c769606198@ntnu.no>
Date: Tue, 16 May 2017 23:10:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBMu=9KPvmz-sDknXpa4Vjer=md=ZqsFqGd6WNEFdAxSdg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------AD000A178C7664D319EE0289"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KpFXTaw3D6Ss5fsXqbCuuIre-As>
Subject: Re: [TLS] Comments on EndOfEarlyData
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 21:14:57 -0000
On 16. mai 2017 20:59, Eric Rescorla wrote: >> However, this intuition is incorrect. Alerts signal the end-of-use of >> keys, not the prohibition of further communication under other keys. >> Keys should be deleted and no further data should be sent on the >> connection. > > This last sentence seems to reinforce the motivating intuition here, > namely that the alert signals the end of the *connection*, and so it's > odd to have EOED indicate a key change within a connection. > Avoiding getting caught on the word "connection", EOED signals the end of key use like other alerts, which is the central issue. Notably, EOED does not signal key change, unlike a KeyUpdate message or Finished message - even the name indicates that it is for "end of data". Its behavior is fundamentally like an alert's, indicating only end-of-key use for application data. >> Specifically, the 0-RTT handshake is >> followed by 0-RTT data and finally an EndOfEarlyData alert to end use of >> that key, while in parallel the remainder of the handshake and >> subsequent session key act almost as a further resumption (i.e. under a >> different key). >> > I can see how you could look at it this way, but I'm not sure that that's > the natural way to look at it. If you're not doing DH, then these are > very much derived from the same PSK and the same client-side > nonce. > In that case, they are both then related to the master key of the previous session, which may well have ended with a close_notify, i.e. a properly finished key use signaled by an alert.
- [TLS] Comments on EndOfEarlyData Britta Hale
- Re: [TLS] Comments on EndOfEarlyData Martin Thomson
- Re: [TLS] Comments on EndOfEarlyData Eric Rescorla
- Re: [TLS] Comments on EndOfEarlyData Britta Hale
- Re: [TLS] Comments on EndOfEarlyData Richard Barnes
- Re: [TLS] Comments on EndOfEarlyData Eric Rescorla
- Re: [TLS] Comments on EndOfEarlyData Britta Hale
- Re: [TLS] Comments on EndOfEarlyData Eric Rescorla
- Re: [TLS] Comments on EndOfEarlyData Britta Hale
- Re: [TLS] Comments on EndOfEarlyData Benjamin Kaduk
- Re: [TLS] Comments on EndOfEarlyData Markulf Kohlweiss
- Re: [TLS] Comments on EndOfEarlyData Benjamin Kaduk
- Re: [TLS] Comments on EndOfEarlyData Markulf Kohlweiss
- Re: [TLS] Comments on EndOfEarlyData David Benjamin
- Re: [TLS] Comments on EndOfEarlyData Benjamin Kaduk
- Re: [TLS] Comments on EndOfEarlyData Salz, Rich
- Re: [TLS] Comments on EndOfEarlyData Andrei Popov