IETF Logo Mail Archive

Re: [TLS] consensus call: draft-ietf-tls-ticketrequests

Christopher Wood <caw@heapingbits.net> Thu, 05 March 2020 00:41 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F9FA3A0D21 for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 16:41:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=PTk/g5KU; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=aLn5Udcm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcfJlmceYwRV for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 16:41:52 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306A03A0D1B for <tls@ietf.org>; Wed, 4 Mar 2020 16:41:52 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 1C85E21AB8 for <tls@ietf.org>; Wed, 4 Mar 2020 19:41:51 -0500 (EST)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Wed, 04 Mar 2020 19:41:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm3; bh=gkUsn iGOar4btWouy3oFMf97fl20MLkXoSEfV3WR8jk=; b=PTk/g5KU1izrbAHhXFr9S 9+PnOl2dHgAxsu+GTzLtpuWkpk9KX8btSDLn4U1PWRQLCiZIUxstsXAnYovNwgmJ htdvwrHrGQ+RqOmlD/aUENA3MmqXqW/iwwxbQBI5qEEDBU4oVC3Udm4TxDeVV2VY bQs6RvOX+ZJTgKqd3Y0lVV+eN07Ker6SHDL34NN0x76DVq3jGNyDrBXT6o2tI7OV vmme6l7Qsj9tPRJmFhEkJjYzmkPO2YsL8lDJtFZEXS3L/Pp8gdAl7Q0maDyXwNax uer/ApjGK0nPOSgCcZ3lkXTWEHp8Yom2v/XsEoICr25f6U5Q1c5HrZ/5vqnTdijt w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=gkUsniGOar4btWouy3oFMf97fl20MLkXoSEfV3WR8 jk=; b=aLn5UdcmhWb/lIpMNKM2JsmEGYitoFpk37YD3HzzLvQiJVvZBJLj55SCw LnSjaT4YajptdS4LtriensUuWJULMqbWwxYw6sLdz02NIzAinvfb/GIrPylR8pxb KKxIwH7naiwbLF48Bjyg946KsLai95PTj41p3nvAGdmalD/CwErfqxSXZ3NLVl7n JppAgNnM6d8ptom2gjvHGEa8dLUnNkiOyUtr+one8BU8FJoEih2gAlriNydD3Y0Z dsRVGZQdBZ0fxrMlPLaVnPFpsaAqePobnMIZ6k6lNzbuIxIa4oGCd0VmeLBIFpQ2 B3O2nl2tlhZ7LxiJHnDJbR8eW+A5w==
X-ME-Sender: <xms:zkpgXrcd9Dvn7-t3xF2-tEJCSyp9-f5c7r-Y3-57Ye5-tNMbuExEWw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddtledgvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggr fieshhgvrghpihhnghgsihhtshdrnhgvtheqnecuffhomhgrihhnpehivghtfhdrohhrgh dpghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:zkpgXoJuOgVFDFle3tronCRGFQUIqoleVO_siHISHSrmF6YcaQwRPA> <xmx:zkpgXpkr8QY42N82_Fii0NGGG_8NrtR8h2zIYC10lPVBX1LuazVHOQ> <xmx:zkpgXkE-naVaWcVK4ED6rzbQOxq3nII5ThXSbguLe2L6RC2b8Dcz3g> <xmx:z0pgXhNG3PFzL-L9-JEkLo9MATyVkUe32zJ87A_KXZFvP28d9miuRA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id DE79D3C00A1; Wed, 4 Mar 2020 19:41:50 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-988-g326a76f-fmstable-20200305v1
Mime-Version: 1.0
Message-Id: <4f3e9a93-1a27-43a8-a4de-f34ee9080d93@www.fastmail.com>
In-Reply-To: <499f4c6f-fa95-44ea-8c44-c985e140c4e0@www.fastmail.com>
References: <4E07012F-AB53-4727-A309-D8A15222A433@sn3rd.com> <0E7E2E43-CC46-488E-981E-BF8417821D85@sn3rd.com> <499f4c6f-fa95-44ea-8c44-c985e140c4e0@www.fastmail.com>
Date: Wed, 04 Mar 2020 16:41:30 -0800
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TZfayIG4SCqnTcA4G2eU8MVt1OE>
Subject: Re: [TLS] consensus call: draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 00:41:56 -0000


On Wed, Mar 4, 2020, at 3:42 PM, Martin Thomson wrote:
> I have a third option (mu?) which differs from previous proposals.
> 
> I have been somewhat convinced by the arguments about how resumption is 
> different and can tolerate the complexity of the additional counter.  
> That is, endpoints can request replacement of consumed tickets (1 for 
> when a connection attempt succeeds, N if they race N connections and 
> only keep one; 1 + M if they want to replace M wasted tickets from M 
> previous failed connection attempts).
> 
> The text about reuse in PR 18 is not good, however.  (PR 18 is also 
> very wordy, but that's something I will leave to the editors of the 
> draft.)
> 
> I can live with a solution that has two numbers, but only on the 
> understanding that 0 means "no tickets".  That means no text on reuse, 
> except to discourage it.  It means implying that resumption=0 means 
> that the client plans to initiate a full handshake in future rather 
> than explicitly endorsing reuse.  As Russ mentions, we might cite the 
> relevant sections of RFC 8446 when it comes to reuse, but for me that 
> would have to be in the context of saying not to do that.

+1 -- I support two separate numbers given these constraints. 

Best,
Chris

> 
> On Thu, Mar 5, 2020, at 03:06, Sean Turner wrote:
> > one more time ...
> > 
> > All,
> > 
> > The purpose of this message is to help the chairs judge consensus on 
> > the way forward for draft-ietf-tls-ticketrequests. The issue at hand is 
> > whether the client-initiated ticket request mechanism [0] should be 
> > modified to add support for ticket reuse, see [1] lines 160-214. As we 
> > see it, the way forward involves either one draft or two. To that end, 
> > we would like your input (YES or NO) on the following question by 2359 
> > UTC 18 March 2020:
> > 
> >  Must the ticket reuse use case be addresses
> >  in draft-ietf-tls-ticketrequests?
> > 
> > Full disclosure: RFC 8446 recommends against ticket reuse to help 
> > protect clients from passive observers correlating connections [2]. The 
> > PR supports ticket reuse for use cases for a server-to-server 
> > connection that has fixed source addresses and no connection racing; if 
> > adopted the WG will need to ensure that the security considerations are 
> > properly documented.
> > 
> > Note: There have been at least three threads on this draft [3][4][5]. 
> > Please, let’s try to avoid re-litigating the points made therein.
> > 
> > Joe & Sean
> > 
> > [0] https://datatracker.ietf.org/doc/draft-ietf-tls-ticketrequests/
> > [1] https://github.com/tlswg/draft-ietf-tls-ticketrequest/pull/18
> > [2] https://tools.ietf.org/html/rfc8446#appendix-C.4
> > [3] https://mailarchive.ietf.org/arch/msg/tls/2cpoaJRushs09EFeTjPr-Ka3FeI/
> > [4] https://mailarchive.ietf.org/arch/msg/tls/-7J3gMmpHNw9t3URzxvM-3OaTR8/
> > [5] https://mailarchive.ietf.org/arch/msg/tls/FjhqbYYTwzgiV9weeCuxn0tHxPs/
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email