Re: [TLS] Call for consensus: Removing 0-RTT client auth
Subodh Iyengar <subodh@fb.com> Mon, 04 April 2016 17:03 UTC
Return-Path: <prvs=3902cf073b=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5B6F12D600 for <tls@ietfa.amsl.com>; Mon, 4 Apr 2016 10:03:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2n8_e1knpLY3 for <tls@ietfa.amsl.com>; Mon, 4 Apr 2016 10:03:29 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54F9612D52F for <tls@ietf.org>; Mon, 4 Apr 2016 10:03:29 -0700 (PDT)
Received: from pps.filterd (m0044008.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u34GURIt032141; Mon, 4 Apr 2016 09:37:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=facebook; bh=O1/Uu/Nr5U9yHuq0KySnEr0p9WVu2fc3/tFCPuP/Dd0=; b=V5CLuHqNMkY7991CBfSualF3xcJELJDF0z2R39GlP4i4hCdQQ3i0o4ZEqEKtGwq4Dg05 Kk8VMAuOHKIFpGxAluDeRrTnP8ZzX8IHyzbUc+y7dVO7DLq1L0l/XKFQTLlAlvuG/1I3 zmEjxLuehmOueSRP+nTs4rIO+StZ6iVs9+Q=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 223up186rh-1 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NOT); Mon, 04 Apr 2016 09:37:00 -0700
Received: from PRN-MBX01-4.TheFacebook.com ([169.254.3.151]) by PRN-CHUB16.TheFacebook.com ([fe80::7948:a494:45d7:3dd9%12]) with mapi id 14.03.0248.002; Mon, 4 Apr 2016 09:36:58 -0700
From: Subodh Iyengar <subodh@fb.com>
To: Dan Harkins <dharkins@lounge.org>, Sean Turner <sean@sn3rd.com>
Thread-Topic: [TLS] Call for consensus: Removing 0-RTT client auth
Thread-Index: AQHRibrYKIycdbeyKkCF0K4tfALgkp95d/wAgACPC8k=
Date: Mon, 04 Apr 2016 16:36:58 +0000
Message-ID: <974CF78E8475CD4CA398B1FCA21C8E995650125D@PRN-MBX01-4.TheFacebook.com>
References: <AABACDA8-6A12-4023-A971-1254CED4893F@sn3rd.com>, <9d1de55db58e33f7e564a03bc140cb49.squirrel@www.trepanning.net>
In-Reply-To: <9d1de55db58e33f7e564a03bc140cb49.squirrel@www.trepanning.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.52.123]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-04-04_07:, , signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/PviuVKcB3_EKKqv2W2UstsjIvOg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing 0-RTT client auth
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2016 17:03:32 -0000
If DH 0-RTT client auth is removed, most apps will start using client auth with PSK 0-RTT handshakes which is the current state in TLS 1.2 (with tickets) as Bill previous mentioned. We've encountered implications of this when using TLS1.2 for internal authentication. The tradeoff here is that a server that shares a ticket key with another server can masquerade as any client to the other server. This is a performance / security tradeoff here, and we solve this using partitioning of ticket keys between untrustworthy servers. There are several other implications of session tickets that we already deal with for this security / performance tradeoff, and this is not the worst one. I don't think having some form of 0-RTT client auth is a bad thing since there are engineering implications of not providing client auth during 0-RTT. A server app is using TLS for cert authentication and doing it's own authorization, it might provide certain methods to be accessible without authorization, but others with authorization. In a lot of application protocols, the client would not know about this aproiri. Not having a form of client auth would obviate these from using 0-RTT completely which would be sad. Since 0-RTT DH is still under discussion, maybe we should revisit 0-RTT DH client auth after that is decided? Subodh Iyengar ________________________________________ From: TLS [tls-bounces@ietf.org] on behalf of Dan Harkins [dharkins@lounge.org] Sent: Sunday, April 03, 2016 5:43 PM To: Sean Turner Cc: tls@ietf.org Subject: Re: [TLS] Call for consensus: Removing 0-RTT client auth Hi Sean & Joe, On Tue, March 29, 2016 5:59 am, Sean Turner wrote: > All, > > To make sure we’ve got a clear way forward coming out of our BA > sessions, we need to make sure there’s consensus on a couple of > outstanding issues. So... > > It seems that there is a clear consensus not to support 0-RTT client > authentication in TLS 1.3 at this time. If you think 0-RTT client > authentication needs to be supported please indicate so now and provide > your rationale. I don't think it needs to be supported and would be happy if it was removed. It's a dangerous and flawed feature. My concern is that if (which I fear is pronounced "when") an exploit is found it might be easy to remove in a browser update but there's gonna be some large TLS concentrator vendor that'll have a helluva time getting its deployed boxes patched and it'll be ugly. The rationale for this-- to get an ad to me just that much faster (an ad, I note, that I sure hope my ad blocking software will prevent me from seeing), and that the people who want to do this know what they're doing so it'll all be fine (which is not reassuring in the least)-- just does not justify the risk. regards, Dan. _______________________________________________ TLS mailing list TLS@ietf.org https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=0Wl8UysaIyWxp0Iw_9TKo4jE9Iwn7DnABCdnYWj_2Kk&s=2SuDKxG_YMEaEm1zqgKy4-aHt4NzUB9QVq8SzByaqp8&e=
- [TLS] Call for consensus: Removing 0-RTT client a… Sean Turner
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Benjamin Kaduk
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Eric Rescorla
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Benjamin Kaduk
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Eric Rescorla
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Benjamin Kaduk
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Dan Harkins
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Subodh Iyengar
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Joseph Salowey