Re: [TLS] consensus call: draft-ietf-tls-ticketrequests
Christopher Wood <caw@heapingbits.net> Thu, 05 March 2020 00:41 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F9FA3A0D21 for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 16:41:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=PTk/g5KU; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=aLn5Udcm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcfJlmceYwRV for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 16:41:52 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306A03A0D1B for <tls@ietf.org>; Wed, 4 Mar 2020 16:41:52 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 1C85E21AB8 for <tls@ietf.org>; Wed, 4 Mar 2020 19:41:51 -0500 (EST)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Wed, 04 Mar 2020 19:41:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm3; bh=gkUsn iGOar4btWouy3oFMf97fl20MLkXoSEfV3WR8jk=; b=PTk/g5KU1izrbAHhXFr9S 9+PnOl2dHgAxsu+GTzLtpuWkpk9KX8btSDLn4U1PWRQLCiZIUxstsXAnYovNwgmJ htdvwrHrGQ+RqOmlD/aUENA3MmqXqW/iwwxbQBI5qEEDBU4oVC3Udm4TxDeVV2VY bQs6RvOX+ZJTgKqd3Y0lVV+eN07Ker6SHDL34NN0x76DVq3jGNyDrBXT6o2tI7OV vmme6l7Qsj9tPRJmFhEkJjYzmkPO2YsL8lDJtFZEXS3L/Pp8gdAl7Q0maDyXwNax uer/ApjGK0nPOSgCcZ3lkXTWEHp8Yom2v/XsEoICr25f6U5Q1c5HrZ/5vqnTdijt w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=gkUsniGOar4btWouy3oFMf97fl20MLkXoSEfV3WR8 jk=; b=aLn5UdcmhWb/lIpMNKM2JsmEGYitoFpk37YD3HzzLvQiJVvZBJLj55SCw LnSjaT4YajptdS4LtriensUuWJULMqbWwxYw6sLdz02NIzAinvfb/GIrPylR8pxb KKxIwH7naiwbLF48Bjyg946KsLai95PTj41p3nvAGdmalD/CwErfqxSXZ3NLVl7n JppAgNnM6d8ptom2gjvHGEa8dLUnNkiOyUtr+one8BU8FJoEih2gAlriNydD3Y0Z dsRVGZQdBZ0fxrMlPLaVnPFpsaAqePobnMIZ6k6lNzbuIxIa4oGCd0VmeLBIFpQ2 B3O2nl2tlhZ7LxiJHnDJbR8eW+A5w==
X-ME-Sender: <xms:zkpgXrcd9Dvn7-t3xF2-tEJCSyp9-f5c7r-Y3-57Ye5-tNMbuExEWw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddtledgvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggr fieshhgvrghpihhnghgsihhtshdrnhgvtheqnecuffhomhgrihhnpehivghtfhdrohhrgh dpghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:zkpgXoJuOgVFDFle3tronCRGFQUIqoleVO_siHISHSrmF6YcaQwRPA> <xmx:zkpgXpkr8QY42N82_Fii0NGGG_8NrtR8h2zIYC10lPVBX1LuazVHOQ> <xmx:zkpgXkE-naVaWcVK4ED6rzbQOxq3nII5ThXSbguLe2L6RC2b8Dcz3g> <xmx:z0pgXhNG3PFzL-L9-JEkLo9MATyVkUe32zJ87A_KXZFvP28d9miuRA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id DE79D3C00A1; Wed, 4 Mar 2020 19:41:50 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-988-g326a76f-fmstable-20200305v1
Mime-Version: 1.0
Message-Id: <4f3e9a93-1a27-43a8-a4de-f34ee9080d93@www.fastmail.com>
In-Reply-To: <499f4c6f-fa95-44ea-8c44-c985e140c4e0@www.fastmail.com>
References: <4E07012F-AB53-4727-A309-D8A15222A433@sn3rd.com> <0E7E2E43-CC46-488E-981E-BF8417821D85@sn3rd.com> <499f4c6f-fa95-44ea-8c44-c985e140c4e0@www.fastmail.com>
Date: Wed, 04 Mar 2020 16:41:30 -0800
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TZfayIG4SCqnTcA4G2eU8MVt1OE>
Subject: Re: [TLS] consensus call: draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 00:41:56 -0000
On Wed, Mar 4, 2020, at 3:42 PM, Martin Thomson wrote: > I have a third option (mu?) which differs from previous proposals. > > I have been somewhat convinced by the arguments about how resumption is > different and can tolerate the complexity of the additional counter. > That is, endpoints can request replacement of consumed tickets (1 for > when a connection attempt succeeds, N if they race N connections and > only keep one; 1 + M if they want to replace M wasted tickets from M > previous failed connection attempts). > > The text about reuse in PR 18 is not good, however. (PR 18 is also > very wordy, but that's something I will leave to the editors of the > draft.) > > I can live with a solution that has two numbers, but only on the > understanding that 0 means "no tickets". That means no text on reuse, > except to discourage it. It means implying that resumption=0 means > that the client plans to initiate a full handshake in future rather > than explicitly endorsing reuse. As Russ mentions, we might cite the > relevant sections of RFC 8446 when it comes to reuse, but for me that > would have to be in the context of saying not to do that. +1 -- I support two separate numbers given these constraints. Best, Chris > > On Thu, Mar 5, 2020, at 03:06, Sean Turner wrote: > > one more time ... > > > > All, > > > > The purpose of this message is to help the chairs judge consensus on > > the way forward for draft-ietf-tls-ticketrequests. The issue at hand is > > whether the client-initiated ticket request mechanism [0] should be > > modified to add support for ticket reuse, see [1] lines 160-214. As we > > see it, the way forward involves either one draft or two. To that end, > > we would like your input (YES or NO) on the following question by 2359 > > UTC 18 March 2020: > > > > Must the ticket reuse use case be addresses > > in draft-ietf-tls-ticketrequests? > > > > Full disclosure: RFC 8446 recommends against ticket reuse to help > > protect clients from passive observers correlating connections [2]. The > > PR supports ticket reuse for use cases for a server-to-server > > connection that has fixed source addresses and no connection racing; if > > adopted the WG will need to ensure that the security considerations are > > properly documented. > > > > Note: There have been at least three threads on this draft [3][4][5]. > > Please, let’s try to avoid re-litigating the points made therein. > > > > Joe & Sean > > > > [0] https://datatracker.ietf.org/doc/draft-ietf-tls-ticketrequests/ > > [1] https://github.com/tlswg/draft-ietf-tls-ticketrequest/pull/18 > > [2] https://tools.ietf.org/html/rfc8446#appendix-C.4 > > [3] https://mailarchive.ietf.org/arch/msg/tls/2cpoaJRushs09EFeTjPr-Ka3FeI/ > > [4] https://mailarchive.ietf.org/arch/msg/tls/-7J3gMmpHNw9t3URzxvM-3OaTR8/ > > [5] https://mailarchive.ietf.org/arch/msg/tls/FjhqbYYTwzgiV9weeCuxn0tHxPs/ > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] consensus call: draft-ietf-tls-request Sean Turner
- Re: [TLS] consensus call: draft-ietf-tls-request Sean Turner
- [TLS] consensus call: draft-ietf-tls-ticketreques… Sean Turner
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Salz, Rich
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Daniel Migault
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Viktor Dukhovni
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Watson Ladd
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Christopher Wood
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… David Schinazi
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Carrick Bartle
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Carrick Bartle
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Victor Vasiliev
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Nico Williams
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Sean Turner
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Rob Sayre
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Nico Williams
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… David Benjamin
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Sean Turner
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Russ Housley
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Martin Thomson
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Christopher Wood
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Viktor Dukhovni
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Nick Harper
- Re: [TLS] consensus call: (not precluding ticket … Martin Thomson
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: (not precluding ticket … Watson Ladd
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: (not precluding ticket … Nick Harper
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: (not precluding ticket … Nick Harper
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Stephen Farrell
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Rob Sayre
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Stephen Farrell
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Rob Sayre
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Watson Ladd
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Nico Williams
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Rob Sayre
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Viktor Dukhovni
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Stephen Farrell
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Jeremy Harris
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Eric Rescorla
- Re: [TLS] consensus call: (not precluding ticket … Eric Rescorla
- Re: [TLS] [EXTERNAL] Re: consensus call: draft-ie… Andrei Popov
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Sean Turner
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Salz, Rich
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Kyle Nekritz
- Re: [TLS] consensus call: (not precluding ticket … Nick Harper
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: (not precluding ticket … Nick Harper
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Benjamin Kaduk
- Re: [TLS] consensus call: (not precluding ticket … Benjamin Kaduk
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Benjamin Kaduk
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Martin Thomson
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: (not precluding ticket … Benjamin Kaduk
- Re: [TLS] consensus call: (not precluding ticket … Viktor Dukhovni
- Re: [TLS] consensus call: draft-ietf-tls-ticketre… Sean Turner