Re: [TLS] Call for consensus: Removing DHE-based 0-RTT
Ryan Hamilton <rch@google.com> Tue, 29 March 2016 18:45 UTC
Return-Path: <rch@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7EEF12E103 for <tls@ietfa.amsl.com>; Tue, 29 Mar 2016 11:45:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zacJExSRYEd3 for <tls@ietfa.amsl.com>; Tue, 29 Mar 2016 11:45:02 -0700 (PDT)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 038DD12E07E for <tls@ietf.org>; Tue, 29 Mar 2016 11:13:15 -0700 (PDT)
Received: by mail-wm0-x232.google.com with SMTP id p65so39109376wmp.0 for <tls@ietf.org>; Tue, 29 Mar 2016 11:13:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=GZNPo+qA97WkAVcpgrZV29OkOwEPb7635EZOrSxmkOU=; b=DsywfrAvxtRCgaeur3nxrv/XGcVorChsQ8TI8ihjL+Oc/Pc7rCwVQPMw3wQ+Vh6lqa mqmSniApt8prKi5o2xjYVObRIcuQHZShXNjlsmYObSy1w5XzvKJLpy/eRYgD8OIXtPt+ NoLkVu/E1dTSWEyzuHGnyAHvqXkA6tuRx34tnxuDnYb7KOWZY2GsqbRaPXSmt+QqsegX yWqTGQTnePbfPLlJJXEOyUMTECLVHKVm/YDO20wLAk78lS+QoyC/alEt9VMduTna6u1c buuf86K0TxqQC5uN4Br/4uuo1Kkkczm3A4X9U5/kEM09zZg7n3jBSE57dG3D/ixvEmmv IM7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=GZNPo+qA97WkAVcpgrZV29OkOwEPb7635EZOrSxmkOU=; b=kaRTSquZCB4T7vhNye6GUKFAVrrCtWmQu4Y6d0Od+8iFZxzmMJtmfAAjVpthbdBW46 WIdndBLGDNC0k+jehAIkxWkHTKku//xnsnPcZvP0DbQ4CBC5rMO+WA8C5bT2PAZScizK puLoGo0Bnr9mU4mlX0UWBmqsfc8stK1hreBkoPz9FQBJB3ut0fwdfyrrxktNI9j0qGOt 9H+HFAe28f/ioroYbQ5yyNfcZZ10AWl5JJ+mI3R4i906jmSXSXGUcTVhmEv7LfT5m/oT iP7Pyt065D2+XKj5pvMUfZss8ZnkPhob7/FkTscUJc/F84LJIvZ1TyUKaUShoxSH7AtI KNlg==
X-Gm-Message-State: AD7BkJJFyo+kEz0+SKB9Mtba38br5+fz5rXkVHpPWH7ggOL6BLhaArw3tINY7GIrxRcs9+l42QiYcoNtLb8F7Wm1
MIME-Version: 1.0
X-Received: by 10.194.116.9 with SMTP id js9mr4836270wjb.112.1459275193425; Tue, 29 Mar 2016 11:13:13 -0700 (PDT)
Received: by 10.28.27.132 with HTTP; Tue, 29 Mar 2016 11:13:13 -0700 (PDT)
In-Reply-To: <CALTJjxHDwTgVoCbHpLdAJft1U0h0i0Lt4BknSOJUn6O5yoVj-Q@mail.gmail.com>
References: <063B3B0B-B141-459C-890F-9E001655936F@sn3rd.com> <CALTJjxHDwTgVoCbHpLdAJft1U0h0i0Lt4BknSOJUn6O5yoVj-Q@mail.gmail.com>
Date: Tue, 29 Mar 2016 11:13:13 -0700
Message-ID: <CAJ_4DfTMzNC8yRZ2MQFCdVqRcUp4bgesSi5Cq9S3P2yEdsbDdQ@mail.gmail.com>
From: Ryan Hamilton <rch@google.com>
To: Wan-Teh Chang <wtc@google.com>
Content-Type: multipart/alternative; boundary="001a1130d2188906c2052f33fb51"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/TYngKKAWKSvunmXT3-USUO-8eHg>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing DHE-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2016 18:45:05 -0000
On Tue, Mar 29, 2016 at 10:14 AM, Wan-Teh Chang <wtc@google.com> wrote: > On Tue, Mar 29, 2016 at 6:11 AM, Sean Turner <sean@sn3rd.com> wrote: > > > > There also seems to be (rougher) consensus not to support 0-RTT via DHE > > (i.e., semi-static DHE) in TLS 1.3 at this time leaving the only 0-RTT > mode > > as PSK. The security properties of PSK-based 0-RTT and DHE-based 0-RTT > > are almost identical, but 0-RTT PSK has better performance properties and > > is simpler to specify and implement. Note that this does not permanently > > preclude supporting DHE-based 0-RTT in a future extension, but it would > > not be in the initial TLS 1.3 RFC. > > This will remove a feature from the QUIC protocol, so I'd be > interested in hearing the QUIC team's opinion. > > Since DHE-based 0-RTT is already specified in the TLS 1.3 draft, I'm > not sure if "simplier to specify" should be an important factor. > However, "simpler to implement" is an important consideration. I am > curious to know how we concluded that 0-RTT PSK is simpler to > implement. Did anyone implement both 0-RTT modes and can compare the > difficulties? > > As for 0-RTT PSK having better performance, that comes at the cost of > a previous full handshake with the server. Also, TLS 1.3 clients that > want to do 0-RTT PSK across an application shutdown will need to deal > with the harder problem of storing PSKs persistently. > We've talked about losing DHE 0-RTT within the team, and have concluded that PSK resumption should be an acceptable alternative. As you suspected however, we have not implemented PSK resumption and are instead waiting until we have a TLS 1.3 implementation which supports it which we will use in QUIC. Since Chrome does not persist the TLS session resumption cache to disk, we will likely lose 0-RTT across browser restarts, which is a bit of a bummer. It's probably not too bad, but it does likely suggest we'll need to come up with something more complex for mobile.
- [TLS] Call for consensus: Removing DHE-based 0-RTT Sean Turner
- Re: [TLS] Call for consensus: Removing DHE-based … Bill Cox
- Re: [TLS] Call for consensus: Removing DHE-based … Wan-Teh Chang
- Re: [TLS] Call for consensus: Removing DHE-based … Ryan Hamilton
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Ilari Liusvaara
- Re: [TLS] Call for consensus: Removing DHE-based … Wan-Teh Chang
- Re: [TLS] Call for consensus: Removing DHE-based … Martin Thomson
- Re: [TLS] Call for consensus: Removing DHE-based … Wan-Teh Chang
- Re: [TLS] Call for consensus: Removing DHE-based … Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing DHE-based … Hugo Krawczyk
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Hugo Krawczyk
- Re: [TLS] Call for consensus: Removing DHE-based … Martin Thomson
- Re: [TLS] Call for consensus: Removing DHE-based … Joseph Salowey