IETF Logo Mail Archive

Re: [TLS] [EXTERNAL] Opt-in schema for client identification

Dmitry Belyavsky <beldmit@gmail.com> Fri, 16 September 2022 21:23 UTC

Return-Path: <beldmit@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 337F1C14F73B for <tls@ietfa.amsl.com>; Fri, 16 Sep 2022 14:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TRkfK76c1cfc for <tls@ietfa.amsl.com>; Fri, 16 Sep 2022 14:23:32 -0700 (PDT)
Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 582F2C14F72B for <tls@ietf.org>; Fri, 16 Sep 2022 14:23:32 -0700 (PDT)
Received: by mail-yb1-xb2a.google.com with SMTP id g5so34342098ybg.11 for <tls@ietf.org>; Fri, 16 Sep 2022 14:23:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=MmPDow68/EGaiO2187Wf997U6eihYrF0I36aZKa2QhQ=; b=bCyCHS0LjCWIpFCTrVrZbOLQxC3efEutWpDTj92m77iqJU6vllMmXqiNnmMZvhLP/l XOjkbDY/R5uyHHfcR1wPVSnVzDTvTZy8fsJ6XurKiSyWoZ6tiwaOz/r5KFN7/uo5HNmh GaWigFTvYt8D01UgQl4uk7xGM0V8851zbvlGDxyxo+NS2JAl/Ct7Gf/H4DPLEZsE0/xG vPeLDNbnLLN73gOCh88xjSALFsMOULt1bA5pXuBbcr9DsuVRReNAydw4T0360q1ZPsRq SfwD9GWNWJoDhts3sLVDdygGHboI92oqBPK0Q30G98cccxwIednIFAtn9CB+ptcJV+2A JHPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=MmPDow68/EGaiO2187Wf997U6eihYrF0I36aZKa2QhQ=; b=78n6xrJwQBNzSj+GxD7aacBLgLTqDT6iMjG2DVBYZDmf/KgYHYRvNKaEtdGpWs4j94 72Y0vK84ESBBsaNW2pNf+WPKuz6FDzc+8+TjqAAsHB2cRSqvQBrVwNJJdzGluX+tXG+2 0wuC3Za3QF9oqyjzDhV9Zb7maAGlNtRsL5wCfg2jXuMuja5qgMsjGXWn0l9ZCrypYJHD xEW9Obp6NkElpCB36vXsx7d0Nf1kFDPSQLeqLJTIu3u7u/LBqJl1kqh1PCCTV4dP952C 4jSBzpMQsQuJQYknct3WWLCpmGdU1vyTVrpeHCzeU3PmupT/yGgGgDczvkMXbt9WDPpY 7NVQ==
X-Gm-Message-State: ACrzQf0op4mYKVt1qNj+alyxyNSEQm/kUkUovetFeoLBgOm+Fz66XBp6 k+6pwVFbujxNL+rzVHK8C67spJf+POtryAty708=
X-Google-Smtp-Source: AMsMyM6UZB4aZ4wi9dwxa/WAEFff+30wRqc5A+lVqP4swavepd8HIVu61MIpg90f9uT2rz5YgnkyCX7Z5BbcfHqvQDc=
X-Received: by 2002:a25:3481:0:b0:6ae:df84:237d with SMTP id b123-20020a253481000000b006aedf84237dmr6081193yba.638.1663363411203; Fri, 16 Sep 2022 14:23:31 -0700 (PDT)
MIME-Version: 1.0
References: <CADqLbzJSQuB0Y4kMw7K+37=BBtCDfb+ub+nZSocnx-VVwHNbyQ@mail.gmail.com> <MN2PR00MB068713D9F9E4E0F6FBAFB9B58C489@MN2PR00MB0687.namprd00.prod.outlook.com> <CAF8qwaDAqkYrgtTdpXkjspO9LAge59AQr_MfMx-ScuW-0FMATw@mail.gmail.com> <CADqLbz+TGkPiLa=W6j3suyOKSu6LrY8irDUxE_MxTu3BqrGUDg@mail.gmail.com> <MN2PR00MB0687C801546FE2AD89C683C38C489@MN2PR00MB0687.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB0687C801546FE2AD89C683C38C489@MN2PR00MB0687.namprd00.prod.outlook.com>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Fri, 16 Sep 2022 23:23:18 +0200
Message-ID: <CADqLbzKc4MLBm1dhEz=UDV4sLBwOBCf6WWfg1jtsds_KTOE16w@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: David Benjamin <davidben@chromium.org>, TLS Mailing List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000041db8605e8d1f9d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OGxsSfLTTTY2fkJYR2lGKinO1YQ>
Subject: Re: [TLS] [EXTERNAL] Opt-in schema for client identification
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2022 21:23:33 -0000

On Fri, 16 Sep 2022, 21:35 Andrei Popov, <Andrei.Popov@microsoft.com> wrote:

>
>    - - processing of invalid session ID, if it is repeated in the 2nd
>    attempt, can be omitted using a smaller cache on the server side
>
> Invalid session ID should not lead to handshake failure; it results in a
> full handshake and an updated session ID/ticket.
>
>
>
Fair point.

>
>    - - a server having more than one valid certificate for the domain
>    name, can switch between them in various attempts.
>
> Sure, but arguably TLS has reasonable methods for driving certificate
> selection, in terms of signature/hash suites.
>

TLS doesn't have methods for selecting RSA key length. Too short keys may
be rejected by client, and using long key always is too expensive when done
for each handshake.

>
>
>    - A cleartext correlator between different requests like this would
>    also be a privacy concern and seems to run counter to the work in RFC 8446,
>    appendix C.4.
>
> Correct. I’m trying to see what the use-case would be, regardless of the
> proposed design.
>
>
>
> *From:* Dmitry Belyavsky <beldmit@gmail.com>
> *Sent:* Friday, September 16, 2022 12:01 PM
> *To:* David Benjamin <davidben@chromium.org>
> *Cc:* Andrei Popov <Andrei.Popov@microsoft.com>; TLS Mailing List <
> tls@ietf.org>
> *Subject:* Re: [TLS] [EXTERNAL] Opt-in schema for client identification
>
>
>
> From the top of my head I can imagine 2 sort of real-life scenarios:
>
>
>
> - processing of invalid session ID, if it is repeated in the 2nd attempt,
> can be omitted using a smaller cache on the server side
>
> - a server having more than one valid certificate for the domain name, can
> switch between them in various attempts.
>
>
>
> I agree with Andrei that other parameters are chosen either according to
> client or to the server preferences.
>
>
>
> On Fri, Sep 16, 2022 at 8:53 PM David Benjamin <davidben@chromium.org>
> wrote:
>
> I too am not seeing the use case here. Could you elaborate?
>
>
>
> Since browsers were mentioned as an example, when Chrome makes several
> connections in a row (e.g. to measure impacts of a removal more
> accurately), we generally do *not* expect the server to change its
> selection algorithm across the two connections. A cleartext correlator
> between different requests like this would also be a privacy concern and
> seems to run counter to the work in RFC 8446, appendix C.4.
>
>
>
> On Fri, Sep 16, 2022 at 10:09 AM Andrei Popov <Andrei.Popov=
> 40microsoft.com@dmarc.ietf.org> wrote:
>
>
>    - Server can distinguish the client and alter some parameters in
>    response to make the new connection successful.
>
> A TLS server would typically choose either server-preferred parameters
> (cipher suite, EC curve, etc.) among those advertised by the client, or
> honor the client’s preferences.
>
> Can you give some examples of what a TLS server would alter, to make the
> new connection successful, assuming the 2nd ClientHello has the same list
> of options as the 1st one?
>
> Basically, what types of interop failures is this cookie intended to
> resolve?
>
>
>
>    - Modern real-life applications (e.g. browsers) may perform
>    several handshakes in a row until the connection to the server is finally
>    rejected.
>
> Some TLS clients will vary their offered TLS parameters between these
> connection attempts.
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
> *From:* TLS <tls-bounces@ietf.org> *On Behalf Of *Dmitry Belyavsky
> *Sent:* Friday, September 16, 2022 4:32 AM
> *To:* TLS Mailing List <tls@ietf.org>
> *Subject:* [EXTERNAL] [TLS] Opt-in schema for client identification
>
>
>
> Dear colleagues,
>
>
>
> I'd like to suggest an opt-in cookie-style schema allowing the server to
> identify the client in case when a client performs several unsuccessful
> connection attempts.
>
>
>
> Modern real-life applications (e.g. browsers) may perform
> several handshakes in a row until the connection to the server is finally
> rejected. It may make sense to provide different handshake parameters on
> the server side on the consequent attempts.
>
>
>
> To distinguish the same client from several different clients, it may be
> useful to add a cookie-style extension in ClientHello. The server responds
> with an encrypted extension containing a random value in a ServerHello. If
> the connection fails, a client may send a value received from the server in
> the next connection attempt. Server can distinguish the client and alter
> some parameters in response to make the new connection successful.
>
>
>
> The schema differs from the current session/tickets mechanism because the
> current mechanism implies session resumption only for successfully
> completed handshakes.
>
>
>
> As the schema is opt-in, it doesn't provide any extra surveillance
> opportunities.
>
>
>
> I understand that the proposed schema may badly work with CDNs.
>
>
>
> If there is an interest to my proposal, I could draft it and present on
> the upcoming IETF meeting.
>
>
>
> --
>
> SY, Dmitry Belyavsky
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=05%7C01%7CAndrei.Popov%40microsoft.com%7C38aed490bde840d9809d08da98165079%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637989518872154364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=W7wN3D%2F1eKzp2An8BR4laCg9a%2Bmi8UnsonV04c3rL3k%3D&reserved=0>
>
>
>
>
> --
>
> SY, Dmitry Belyavsky
>

v2.23.0 | Report a Bug | By Email