IETF Logo Mail Archive

Re: [TLS] consensus call: draft-ietf-tls-ticketrequests

Russ Housley <housley@vigilsec.com> Wed, 04 March 2020 23:32 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A2383A0BEA for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 15:32:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aAItBKKePJbd for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 15:32:36 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 701CA3A0BE5 for <tls@ietf.org>; Wed, 4 Mar 2020 15:32:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 12596300AFB for <tls@ietf.org>; Wed, 4 Mar 2020 18:32:34 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Me7hhE4T6gOB for <tls@ietf.org>; Wed, 4 Mar 2020 18:32:32 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 8BF5F300A02; Wed, 4 Mar 2020 18:32:32 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <0E7E2E43-CC46-488E-981E-BF8417821D85@sn3rd.com>
Date: Wed, 04 Mar 2020 18:32:33 -0500
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4761BE03-E580-4DED-B72F-29798BD82AD7@vigilsec.com>
References: <4E07012F-AB53-4727-A309-D8A15222A433@sn3rd.com> <0E7E2E43-CC46-488E-981E-BF8417821D85@sn3rd.com>
To: Sean Turner <sean@sn3rd.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/P-0gn4Nh8Aiw9UAmTeXPbIm5HO4>
Subject: Re: [TLS] consensus call: draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 23:32:38 -0000

Yes.  I would like to see more than just "Ticket re-use is a security and privacy concern" in the security considerations.  At an absolute minimum, there needs to be a pointer to Section 8 of RFC 8446.

Russ


> On Mar 4, 2020, at 11:06 AM, Sean Turner <sean@sn3rd.com> wrote:
> 
> one more time ...
> 
> All,
> 
> The purpose of this message is to help the chairs judge consensus on the way forward for draft-ietf-tls-ticketrequests. The issue at hand is whether the client-initiated ticket request mechanism [0] should be modified to add support for ticket reuse, see [1] lines 160-214. As we see it, the way forward involves either one draft or two. To that end, we would like your input (YES or NO) on the following question by 2359 UTC 18 March 2020:
> 
> Must the ticket reuse use case be addresses
> in draft-ietf-tls-ticketrequests?
> 
> Full disclosure: RFC 8446 recommends against ticket reuse to help protect clients from passive observers correlating connections [2]. The PR supports ticket reuse for use cases for a server-to-server connection that has fixed source addresses and no connection racing; if adopted the WG will need to ensure that the security considerations are properly documented.
> 
> Note: There have been at least three threads on this draft [3][4][5]. Please, let’s try to avoid re-litigating the points made therein.
> 
> Joe & Sean
> 
> [0] https://datatracker.ietf.org/doc/draft-ietf-tls-ticketrequests/
> [1] https://github.com/tlswg/draft-ietf-tls-ticketrequest/pull/18
> [2] https://tools.ietf.org/html/rfc8446#appendix-C.4
> [3] https://mailarchive.ietf.org/arch/msg/tls/2cpoaJRushs09EFeTjPr-Ka3FeI/
> [4] https://mailarchive.ietf.org/arch/msg/tls/-7J3gMmpHNw9t3URzxvM-3OaTR8/
> [5] https://mailarchive.ietf.org/arch/msg/tls/FjhqbYYTwzgiV9weeCuxn0tHxPs/
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email