Re: [TLS] [EXTERNAL] Opt-in schema for client identification
Dmitry Belyavsky <beldmit@gmail.com> Fri, 16 September 2022 21:23 UTC
Return-Path: <beldmit@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 337F1C14F73B for <tls@ietfa.amsl.com>; Fri, 16 Sep 2022 14:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TRkfK76c1cfc for <tls@ietfa.amsl.com>; Fri, 16 Sep 2022 14:23:32 -0700 (PDT)
Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 582F2C14F72B for <tls@ietf.org>; Fri, 16 Sep 2022 14:23:32 -0700 (PDT)
Received: by mail-yb1-xb2a.google.com with SMTP id g5so34342098ybg.11 for <tls@ietf.org>; Fri, 16 Sep 2022 14:23:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=MmPDow68/EGaiO2187Wf997U6eihYrF0I36aZKa2QhQ=; b=bCyCHS0LjCWIpFCTrVrZbOLQxC3efEutWpDTj92m77iqJU6vllMmXqiNnmMZvhLP/l XOjkbDY/R5uyHHfcR1wPVSnVzDTvTZy8fsJ6XurKiSyWoZ6tiwaOz/r5KFN7/uo5HNmh GaWigFTvYt8D01UgQl4uk7xGM0V8851zbvlGDxyxo+NS2JAl/Ct7Gf/H4DPLEZsE0/xG vPeLDNbnLLN73gOCh88xjSALFsMOULt1bA5pXuBbcr9DsuVRReNAydw4T0360q1ZPsRq SfwD9GWNWJoDhts3sLVDdygGHboI92oqBPK0Q30G98cccxwIednIFAtn9CB+ptcJV+2A JHPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=MmPDow68/EGaiO2187Wf997U6eihYrF0I36aZKa2QhQ=; b=78n6xrJwQBNzSj+GxD7aacBLgLTqDT6iMjG2DVBYZDmf/KgYHYRvNKaEtdGpWs4j94 72Y0vK84ESBBsaNW2pNf+WPKuz6FDzc+8+TjqAAsHB2cRSqvQBrVwNJJdzGluX+tXG+2 0wuC3Za3QF9oqyjzDhV9Zb7maAGlNtRsL5wCfg2jXuMuja5qgMsjGXWn0l9ZCrypYJHD xEW9Obp6NkElpCB36vXsx7d0Nf1kFDPSQLeqLJTIu3u7u/LBqJl1kqh1PCCTV4dP952C 4jSBzpMQsQuJQYknct3WWLCpmGdU1vyTVrpeHCzeU3PmupT/yGgGgDczvkMXbt9WDPpY 7NVQ==
X-Gm-Message-State: ACrzQf0op4mYKVt1qNj+alyxyNSEQm/kUkUovetFeoLBgOm+Fz66XBp6 k+6pwVFbujxNL+rzVHK8C67spJf+POtryAty708=
X-Google-Smtp-Source: AMsMyM6UZB4aZ4wi9dwxa/WAEFff+30wRqc5A+lVqP4swavepd8HIVu61MIpg90f9uT2rz5YgnkyCX7Z5BbcfHqvQDc=
X-Received: by 2002:a25:3481:0:b0:6ae:df84:237d with SMTP id b123-20020a253481000000b006aedf84237dmr6081193yba.638.1663363411203; Fri, 16 Sep 2022 14:23:31 -0700 (PDT)
MIME-Version: 1.0
References: <CADqLbzJSQuB0Y4kMw7K+37=BBtCDfb+ub+nZSocnx-VVwHNbyQ@mail.gmail.com> <MN2PR00MB068713D9F9E4E0F6FBAFB9B58C489@MN2PR00MB0687.namprd00.prod.outlook.com> <CAF8qwaDAqkYrgtTdpXkjspO9LAge59AQr_MfMx-ScuW-0FMATw@mail.gmail.com> <CADqLbz+TGkPiLa=W6j3suyOKSu6LrY8irDUxE_MxTu3BqrGUDg@mail.gmail.com> <MN2PR00MB0687C801546FE2AD89C683C38C489@MN2PR00MB0687.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB0687C801546FE2AD89C683C38C489@MN2PR00MB0687.namprd00.prod.outlook.com>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Fri, 16 Sep 2022 23:23:18 +0200
Message-ID: <CADqLbzKc4MLBm1dhEz=UDV4sLBwOBCf6WWfg1jtsds_KTOE16w@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: David Benjamin <davidben@chromium.org>, TLS Mailing List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000041db8605e8d1f9d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OGxsSfLTTTY2fkJYR2lGKinO1YQ>
Subject: Re: [TLS] [EXTERNAL] Opt-in schema for client identification
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2022 21:23:33 -0000
On Fri, 16 Sep 2022, 21:35 Andrei Popov, <Andrei.Popov@microsoft.com> wrote: > > - - processing of invalid session ID, if it is repeated in the 2nd > attempt, can be omitted using a smaller cache on the server side > > Invalid session ID should not lead to handshake failure; it results in a > full handshake and an updated session ID/ticket. > > > Fair point. > > - - a server having more than one valid certificate for the domain > name, can switch between them in various attempts. > > Sure, but arguably TLS has reasonable methods for driving certificate > selection, in terms of signature/hash suites. > TLS doesn't have methods for selecting RSA key length. Too short keys may be rejected by client, and using long key always is too expensive when done for each handshake. > > > - A cleartext correlator between different requests like this would > also be a privacy concern and seems to run counter to the work in RFC 8446, > appendix C.4. > > Correct. I’m trying to see what the use-case would be, regardless of the > proposed design. > > > > *From:* Dmitry Belyavsky <beldmit@gmail.com> > *Sent:* Friday, September 16, 2022 12:01 PM > *To:* David Benjamin <davidben@chromium.org> > *Cc:* Andrei Popov <Andrei.Popov@microsoft.com>; TLS Mailing List < > tls@ietf.org> > *Subject:* Re: [TLS] [EXTERNAL] Opt-in schema for client identification > > > > From the top of my head I can imagine 2 sort of real-life scenarios: > > > > - processing of invalid session ID, if it is repeated in the 2nd attempt, > can be omitted using a smaller cache on the server side > > - a server having more than one valid certificate for the domain name, can > switch between them in various attempts. > > > > I agree with Andrei that other parameters are chosen either according to > client or to the server preferences. > > > > On Fri, Sep 16, 2022 at 8:53 PM David Benjamin <davidben@chromium.org> > wrote: > > I too am not seeing the use case here. Could you elaborate? > > > > Since browsers were mentioned as an example, when Chrome makes several > connections in a row (e.g. to measure impacts of a removal more > accurately), we generally do *not* expect the server to change its > selection algorithm across the two connections. A cleartext correlator > between different requests like this would also be a privacy concern and > seems to run counter to the work in RFC 8446, appendix C.4. > > > > On Fri, Sep 16, 2022 at 10:09 AM Andrei Popov <Andrei.Popov= > 40microsoft.com@dmarc.ietf.org> wrote: > > > - Server can distinguish the client and alter some parameters in > response to make the new connection successful. > > A TLS server would typically choose either server-preferred parameters > (cipher suite, EC curve, etc.) among those advertised by the client, or > honor the client’s preferences. > > Can you give some examples of what a TLS server would alter, to make the > new connection successful, assuming the 2nd ClientHello has the same list > of options as the 1st one? > > Basically, what types of interop failures is this cookie intended to > resolve? > > > > - Modern real-life applications (e.g. browsers) may perform > several handshakes in a row until the connection to the server is finally > rejected. > > Some TLS clients will vary their offered TLS parameters between these > connection attempts. > > > > Cheers, > > > > Andrei > > > > *From:* TLS <tls-bounces@ietf.org> *On Behalf Of *Dmitry Belyavsky > *Sent:* Friday, September 16, 2022 4:32 AM > *To:* TLS Mailing List <tls@ietf.org> > *Subject:* [EXTERNAL] [TLS] Opt-in schema for client identification > > > > Dear colleagues, > > > > I'd like to suggest an opt-in cookie-style schema allowing the server to > identify the client in case when a client performs several unsuccessful > connection attempts. > > > > Modern real-life applications (e.g. browsers) may perform > several handshakes in a row until the connection to the server is finally > rejected. It may make sense to provide different handshake parameters on > the server side on the consequent attempts. > > > > To distinguish the same client from several different clients, it may be > useful to add a cookie-style extension in ClientHello. The server responds > with an encrypted extension containing a random value in a ServerHello. If > the connection fails, a client may send a value received from the server in > the next connection attempt. Server can distinguish the client and alter > some parameters in response to make the new connection successful. > > > > The schema differs from the current session/tickets mechanism because the > current mechanism implies session resumption only for successfully > completed handshakes. > > > > As the schema is opt-in, it doesn't provide any extra surveillance > opportunities. > > > > I understand that the proposed schema may badly work with CDNs. > > > > If there is an interest to my proposal, I could draft it and present on > the upcoming IETF meeting. > > > > -- > > SY, Dmitry Belyavsky > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=05%7C01%7CAndrei.Popov%40microsoft.com%7C38aed490bde840d9809d08da98165079%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637989518872154364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=W7wN3D%2F1eKzp2An8BR4laCg9a%2Bmi8UnsonV04c3rL3k%3D&reserved=0> > > > > > -- > > SY, Dmitry Belyavsky >
- [TLS] Opt-in schema for client identification Dmitry Belyavsky
- Re: [TLS] [EXTERNAL] Opt-in schema for client ide… Andrei Popov
- Re: [TLS] [EXTERNAL] Opt-in schema for client ide… Dmitry Belyavsky
- Re: [TLS] [EXTERNAL] Opt-in schema for client ide… David Benjamin
- Re: [TLS] [EXTERNAL] Opt-in schema for client ide… David Benjamin
- Re: [TLS] [EXTERNAL] Opt-in schema for client ide… Andrei Popov
- Re: [TLS] [EXTERNAL] Opt-in schema for client ide… Dmitry Belyavsky