Re: [TLS] 0-RTT, server Application Data, and client Finished
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 29 January 2016 20:53 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD2181B339B for <tls@ietfa.amsl.com>; Fri, 29 Jan 2016 12:53:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DlBQQCiaQJKU for <tls@ietfa.amsl.com>; Fri, 29 Jan 2016 12:53:00 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id A738F1B33B8 for <tls@ietf.org>; Fri, 29 Jan 2016 12:52:59 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id C664B5AD; Fri, 29 Jan 2016 22:52:57 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 9HyRZzKkbViT; Fri, 29 Jan 2016 22:52:57 +0200 (EET)
Received: from LK-Perkele-V2 (87-100-151-39.bb.dnainternet.fi [87.100.151.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 1815B230D; Fri, 29 Jan 2016 22:52:57 +0200 (EET)
Date: Fri, 29 Jan 2016 22:52:55 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: David Benjamin <davidben@chromium.org>
Message-ID: <20160129205255.GA20364@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnXD5ZudUW7d2uQSSo1ULeOgxD97H5Sd0ZN3MXy9X6+4qA@mail.gmail.com> <CAF8qwaCq7LzXp+5ULWYakLXar3_J1QmerfC7EpqHg1TXgxeu5A@mail.gmail.com> <CABkgnnWQT9WDQDJ9EW21STgr_7j4VFqCh4mWS=1Ko7o=sAyXkQ@mail.gmail.com> <CAF8qwaCAbYsQhq-VL=ktfvDLR+1y6TCkFZ7VhmVKNCVUroOJNQ@mail.gmail.com> <CABkgnnUSg1ah9pMRVrDq5SUvkH79aKQXVzW_KNN+SO+DSHoUmw@mail.gmail.com> <CAF8qwaB+zB2=rCdNP22vCM9ZjCEXyeNP4x5=jKK1_gq0F=2yiw@mail.gmail.com> <20160127194416.GA10603@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaB_nKF=YxT-ZRK6D0Pv_wGRhVjHZ-5eDguGh_1JABz4pA@mail.gmail.com> <20160128190909.GA11429@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaA_6Eja2deOxGjNuz+uxJL=ruBqV3-ffCrKZV5VKADKXQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAF8qwaA_6Eja2deOxGjNuz+uxJL=ruBqV3-ffCrKZV5VKADKXQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/SwJxZuPqATgS-idTf7i2nfanxzM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT, server Application Data, and client Finished
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 20:53:02 -0000
On Fri, Jan 29, 2016 at 07:55:53PM +0000, David Benjamin wrote: > On Thu, Jan 28, 2016 at 2:09 PM Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > Perhaps I misunderstood you. I read "dynamic reauth" in your message above > as the post-handshake auth mechanism. You said that "server 0-RTT" has > recipient identity change and "dynamic reauth" has sender identity change. > My claim is that "server 0-RTT" also has sender identity change, since that > seemed to be the question you were asking. Did you mean something else? No, it doesn't: The server auth block comes before the data sent, and this block authenticates the sender (which is the server). > Yes, by forbidding CertificateRequest on 0-RTT hit, we are not removing > anything post-handshake auth can't do. That's largely my point. It is > identical in both how it works in good or bad) and how early each message > arrives (see https://www.ietf.org/mail-archive/web/tls/current/msg19159.html > for comparison). Also, there are some subtle attacks on TLS that only fail on client Finished, so client auth block is needed. > I hope the more reasonable protocols without legacy burdens will declare > that post-handshake auth is forbidden and only allow initial-handshake > client auth or none at all, as SPDY and HTTP/2[*] did to renego in TLS 1.2. > Yet it's not obvious CertificateRequest on a 0-RTT hit is equivalent to > post-handshake auth and should be allowed or forbidden together. That actually also depends on what kind of data is sent in 0-RTT. Some protocols might be unsafe in general case, but have restricted subset that is safe in 0-RTT. E.g. protocol banners (e.g. HTTP/2 prelude/SETTINGS) are in general safe. HTTP/2 also has other stuff that could be sent (e.g. preflights or any requests with user privilege). Or protocol could say that anything in 0-RTT is permanently locked to authority it was sent with (including possibly anonymous authority). IIRC, 0-RTT data is explicitly distinct from normal data. > Also, although servers can choose never to do this, clients that implement > post-handshake auth (like HTTP apparently) can't. This figures into the > client API the TLS stack exposes. Despite being in the handshake, this flow > should be exposed via post-handshake auth's API. This is weird, but > handshake-negotiated properties otherwise have nice assumptions like being > constant throughout the connection, should the client's stream depend on > it. Consider ALPN. If a server wishes to pick a different ALPN value from > the 0-RTT-predicted one, it must reject 0-RTT because that data's wrong > anyway. I think the same should be true of in-handshake client auth. IIRC, there is no indication of assumed ALPN for 0-RTT... Also, 0-RTT data is also separate on client side. So in-handshake 1RTT auth is quite different for client than post-handshake auth. Also, I think there should be a way for client to request Certificate- Request, even without valid configuration. This is needed for M2M applications (and some interactive protocols as well). > [*] Sadly, HTTP's legacy burdens caught up to us. Although I see > draft-thomson-http2-client-certs-01 has picked up again, so maybe HTTP/2 > won't use post-handshake auth? Doesn't matter; new multiplexed protocol > without such legacy would best forbid post-handshake auth. Well, considering that they have no choice with TLS 1.2, I presume they will also go that way with TLS 1.3. -Ilari
- [TLS] 0-RTT, server Application Data, and client … David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Martin Thomson
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Martin Thomson
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Martin Thomson
- Re: [TLS] 0-RTT, server Application Data, and cli… Bill Cox
- Re: [TLS] 0-RTT, server Application Data, and cli… Watson Ladd
- Re: [TLS] 0-RTT, server Application Data, and cli… Bill Cox
- Re: [TLS] 0-RTT, server Application Data, and cli… Martin Thomson
- Re: [TLS] 0-RTT, server Application Data, and cli… Watson Ladd
- Re: [TLS] 0-RTT, server Application Data, and cli… Salz, Rich
- Re: [TLS] 0-RTT, server Application Data, and cli… Andrei Popov
- Re: [TLS] 0-RTT, server Application Data, and cli… Yoav Nir
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Ilari Liusvaara
- Re: [TLS] 0-RTT, server Application Data, and cli… Andrei Popov
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Ilari Liusvaara
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Ilari Liusvaara