IETF Logo Mail Archive

[TLS] Separate APIs for 0-RTT

Eric Rescorla <ekr@rtfm.com> Tue, 13 June 2017 08:29 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D553E129BCC for <tls@ietfa.amsl.com>; Tue, 13 Jun 2017 01:29:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWP25HPujmsD for <tls@ietfa.amsl.com>; Tue, 13 Jun 2017 01:29:31 -0700 (PDT)
Received: from mail-yb0-x236.google.com (mail-yb0-x236.google.com [IPv6:2607:f8b0:4002:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4487A129BC8 for <tls@ietf.org>; Tue, 13 Jun 2017 01:29:31 -0700 (PDT)
Received: by mail-yb0-x236.google.com with SMTP id 4so33478089ybl.1 for <tls@ietf.org>; Tue, 13 Jun 2017 01:29:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=6cQbeR7I/bRziRk6YMmgmSZ5cIFrXbbgOAo3QyisUZQ=; b=heL24FbKEoqQKbdogneDPN2eozE5KNO3zvIzUzveUF2ehgHjS5RCFq96pDl2exPFiD ZNep58PUwU9L700xRkMNbyXGrDacOh0JM4qMwyvgsL4s67OB8tLnLAvyRelxGEb0L72I MmZ1giR1Pth7b78u1GLJRawVHDTa3EAXP37byW9kS14jNrU2PXcUBYhh8qE108jE8L7R se+SljFZUurcIYLlbwURnMN9p5/v75pFs9V0VwDfqqOE2fViJu454ehx5LF0/ViPgeCQ DAp1DAU4wYyFmiCj5a0Oz6EzqkslYbikSXyA1tI+La7F3A2/3j25XHksNX4gIQmJQpcW fJeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6cQbeR7I/bRziRk6YMmgmSZ5cIFrXbbgOAo3QyisUZQ=; b=FhpDnlkkF2ZC3UiP+ST4uwvbatH8dgvFPqK7HdZM5vw0Oo55AEQQrNs8s+myizH5nC +J7tjn3yQm2l86e3X2eeIm3On0cdcOEZBECGEcT+YeTC4z0H1QJ6Y1ixLmwxlZEJUUMd L13GXvpIYT67sGgRv0RMxw0HdiVVQAQ60TVFHr/arNaZ6KuN3NWjQ0vvidJa2WFhmKJ/ w929IwWyt1rVgPvLfp/YJ2UdrdD22ZXwnkIN1KpsgVcV9dVVb6wpGcUnAWt6DBI8NdkC /VANG7Tp/X1hnqr6VA+B1VkxODYjDmrSLJhDpWrQgG9ekOc7p2Nxs5NC/MbkYcYm1j8l yVWw==
X-Gm-Message-State: AKS2vOxk7eU/gt1p+/kO1qQ73QRn+5bus8tTt+0U2B/S1g0jSoqimBzD FcAikdEdKUgpUXBJKjPMfEAH8liq2XL2GGFKMQ==
X-Received: by 10.37.177.164 with SMTP id h36mr2278785ybj.15.1497342570211; Tue, 13 Jun 2017 01:29:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.144 with HTTP; Tue, 13 Jun 2017 01:28:49 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 13 Jun 2017 09:28:49 +0100
Message-ID: <CABcZeBPkRhjLNT2QKO+DgfjE8-e-KrJ5XOLbA9bR24R1Fd96MQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045eaaa40171a70551d33c01"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LWEEOz9zflgbJp9TFn6JCaa0fSg>
Subject: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 08:29:33 -0000

The current text says:

   0-RTT data has very different security properties from data
   transmitted after a completed handshake: it can be replayed.
   Implementations SHOULD provide different functions for reading and
   writing 0-RTT data and data transmitted after the handshake, and
   SHOULD NOT automatically resend 0-RTT data if it is rejected by the
   server.

I think the second piece of guidance (about automatic re-send) is still
good but it seems like implementations are mostly converging on a single
API. Of the implementations I know, NSS, BoringSSL (I think), and Mint have
a single API and OpenSSL's use of two APIs is an outlier. I don't think
it's helpful to have a SHOULD that a lot of people violate, especially when
this also indicates we don't have consensus on this SHOULD.

I propose we remove this recommendation in favor of one which simply says
that implementations should need applications to opt-in to 0-RTT. That
would allow implementations to have either API.

-Ekr

v2.23.0 | Report a Bug | By Email