Re: [TLS] KeyUpdate and unbounded write obligations

Adam Langley <agl@imperialviolet.org> Thu, 18 August 2016 19:42 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 143FE12B01C for <tls@ietfa.amsl.com>; Thu, 18 Aug 2016 12:42:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Balo6kZx50SI for <tls@ietfa.amsl.com>; Thu, 18 Aug 2016 12:42:49 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7E1312B012 for <tls@ietf.org>; Thu, 18 Aug 2016 12:42:48 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id l2so26703195qkf.3 for <tls@ietf.org>; Thu, 18 Aug 2016 12:42:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=VPnM2ewi0sKE9Mxw/sTGsswAz7wRcE+u9IHvFXyaA74=; b=ABLf07Mqf2HE3RrOiQiOMaIShrhflZzGtt6a5MdPQ2s6NT29Uq6cyBGFYqJYRWztUf N4D8RJVsLcBKBPOHCgUD2zK6VlyKLD6RGpMsx9m769S+fN+usjxknYp5SOMkWRgTrB/j Ydp9cUKQiQ6833CPuOpghYSHZFdOaq3XPDVtlYI7BGX2gsmFCtImQ6ozYlEvrnkdEuSY Z7BWUpntoKyaNnVePLxaW5qiQMAHcDPA2IKN86PBrIwiqQ2apz7UeNPUYxfY2uOgLZoZ 965V/2VSirNjcWbmEbQoyq1h58x6/tbNPjsRx1gI5dosVxK7qIbc89KapTcjVW4/ZHH3 sMsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=VPnM2ewi0sKE9Mxw/sTGsswAz7wRcE+u9IHvFXyaA74=; b=R6t6IAmE5A8UKfqXnwdKiz1Td7S07dZ+CSmFxHbSbU2hTiRsWLq0svNItmzcgc0G6G vqReJRnMX5d65eKVgjn0PGCZwYpJHNkQx++chYGkaYMA5wtL2mU9oQRzh+B/qLeu8H3N FxzAVmZjdvAweY3px9FRcr7wMwFX+CK41vKoqmW1wtKhjD0mEo0ijKGWZlhY/3G0gfCi BpAs+tYgD8F3QorD2KGnP7I/UxqVsDj69WUHdnt2jwzeUSF+tExj7tnK+5KclN/HTQQv NIaAwTffW9ZDSk5ae86TywjcLrVd0L+wev4uSUb/rf/DErz5frjsbAy8R1p0W0bY4Pt+ 3tSg==
X-Gm-Message-State: AEkoous2xGBn/1tRVknLLcA+OUAPzbEUbICMk5gCyN3kEE7DD6Ea2RR+FnYPcAJTiV8vFja3RtemXY/HNMgH4w==
X-Received: by 10.55.101.17 with SMTP id z17mr4422160qkb.186.1471549367910; Thu, 18 Aug 2016 12:42:47 -0700 (PDT)
MIME-Version: 1.0
Sender: alangley@gmail.com
Received: by 10.200.36.199 with HTTP; Thu, 18 Aug 2016 12:42:47 -0700 (PDT)
In-Reply-To: <CAMzhQmOmOou6SvmZygJ6emfn2xAnU_jT7zb005fD4NRuOLmnPg@mail.gmail.com>
References: <CAF8qwaDgGHGmuBwhZEz9-=Ss2bfzNAYWfmnbMqQDxTQnMUpH7g@mail.gmail.com> <93086b3c-ca1b-4c37-67e1-efbf417a8b58@akamai.com> <CAF8qwaDfWdCCQpD8z8iY0BMJjbrf8qi-qf5X7mSe8m+hNZu-FQ@mail.gmail.com> <CAMzhQmPB0GXZzh+g=-TMmAp9HQxpZUPcht4zi3_K7WW_ouGg6A@mail.gmail.com> <CAF8qwaC_NGmx4pW=HwsqWTnvZysFhXayHJ1wPVAakWHo7nunxA@mail.gmail.com> <CAMfhd9UOOXLRmNjJogikQHa8QJx+HSLO-WuwJhgKKgAA-5TeBQ@mail.gmail.com> <CAMzhQmOmOou6SvmZygJ6emfn2xAnU_jT7zb005fD4NRuOLmnPg@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
Date: Thu, 18 Aug 2016 12:42:47 -0700
X-Google-Sender-Auth: 0cMBKw0-yCijCrik_n71B99HLHw
Message-ID: <CAMfhd9UQaiWH_CAKNUMymARJAsWv4+3AatjgNEqrD78-rakubA@mail.gmail.com>
To: Keith Winstein <keithw@cs.stanford.edu>
Content-Type: multipart/alternative; boundary="94eb2c05ba545807c3053a5dc96b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/L3fcFOGFGlggmPjah_RW2TsLVis>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] KeyUpdate and unbounded write obligations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2016 19:42:51 -0000

On Thu, Aug 18, 2016 at 12:20 PM, Keith Winstein <keithw@cs.stanford.edu>
wrote:

> Yes, you need current_receive_generation, or something like it, to get
> P3. This is the subject of our PR #426/580.
>

The KeyUpdate messages are encrypted and thus sequenced with all the
application data. Apart from the Heartbeat message (TLS 6520), which has
not been significantly used in TLS (I think), we've never worried about a
TLS-level ack before.

PR 426 wants a way to retrospectively disclose keys to middleware and wants
to make sure that the receive side is no longer going to trust those keys
before doing so. Having spoken to several vendors of these products in the
past and tried to persuade them to accept read-only access I don't think we
should alter TLS's design for that unless there's a novel argument about
why they would ever accept it. (Because they won't. Their competitive
interest is to have as many "features" as possible, many of which would
require modifying traffic.)


Cheers

AGL