[TLS] PR #493: Multiple concurrent tickets

Eric Rescorla <ekr@rtfm.com> Sat, 04 June 2016 15:52 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 856C5128E19 for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 08:52:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xNUzQWZ-W_Bu for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 08:52:03 -0700 (PDT)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A6C712D1D5 for <tls@ietf.org>; Sat, 4 Jun 2016 08:52:03 -0700 (PDT)
Received: by mail-yw0-x22a.google.com with SMTP id c127so106184205ywb.1 for <tls@ietf.org>; Sat, 04 Jun 2016 08:52:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=AZqptI3xWArA1KCXzdMO6/hiEdUO/k6Yakh0/AA0hJM=; b=OBpQi31T3Dc1IAXrY3VAwWHPKT468II4v7A7Xf1utamwJnBElVk7yZ5o7i+cHclvag mIBClc6TZRwjBTkWhtnny3aODAjjk9DXFJV/R42g8VdGboDKp/HHEGoaYdOyW1Z3tz/R 8j31WJbZWSc1kEDLS2Lgx45AmoAw+BjmroVIHFwewbqCiuvN2LpGoSRs3y4mIaYUKZ8J w5aAHEAHWHYQhA/SetoeosJ+mcNctxSo4vT3O5rkrwhtGbV82xCx1htYZcCe8qZPQGvF KJbsF0I//0qdnMexVi71vssfFiXCjLtEErfBKKljcU5uL8ZwpsSYTz5fiPQX1VQE14VS Xlbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=AZqptI3xWArA1KCXzdMO6/hiEdUO/k6Yakh0/AA0hJM=; b=DtL9r1wU+QmfCd5DRTNAIzDsuA2SU6xwXHX7L+3iwxV7gvOn2qX3B0JNjd6Ei/PMez Yo7jtmAEPufwqQrLznaDpvx1xBUsYNI+c3YtRIXOiY36vrkAmin4kgp8MVZ8lpVRfRJz AB9mOzT6FhmAwFjh89JCujyos2Gek7do//6FrF1tjgaqPQ9lnTRu/CxcMxZsB1XllMB9 8iqb6VD5fatEKZxhPrszezQtqDQureCi9vhw+qLrOIMNRTe068B+hQDGnQyqJHXh60Hl deNzvuD3ESReUQK/6ItnRrRcVCIilr/8eTsSghxexqlCVlOBMmMqVOPqjy3z1yIugnyX vC/Q==
X-Gm-Message-State: ALyK8tLmJLunoe9vyJTPI6Q0Zv0EwUzc4Xv8uWqGJJP/yiVRoTTZyeGIztzXFNwLokp+9TaH8nj1Tp2F2oxmVw==
X-Received: by 10.13.233.1 with SMTP id s1mr6108857ywe.286.1465055522659; Sat, 04 Jun 2016 08:52:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.230.76 with HTTP; Sat, 4 Jun 2016 08:51:23 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 4 Jun 2016 08:51:23 -0700
Message-ID: <CABcZeBMo9U7_wZeXpEosPFa4KiC4eq3LGOvDtSAy5NNz7jc0dQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c07cfb4018b59053475d225
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/TfVK8PqK_t3lUa4UBjAu2TriJ84>
Subject: [TLS] PR #493: Multiple concurrent tickets
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2016 15:52:05 -0000

https://github.com/tlswg/tls13-spec/pull/493

Currently the server can send multiple tickets but we don't say anything
about the semantics.
So, say a server sends tickets T_1, T_2, T_3... T_n, and the client wants
to initiate m < n connections, should he use:

- only T_n
- T_1...T_m
- T_n, T_n-1, ... T_n-m+1

The intuition I have had is that we want the third option (latest wins, but
allow multiples for linkability) but the spec doesn't say and there aren't
any semantics that tell you, so I think we want some way for the server to
say "these group of tickets are all co-valid".

I've just created PR#493, which provides an explicit mechanism for this,
"ticket generations". Tickets with the same generation M are co-valid and a
ticket with generation N expires all tickets with generation M < N. The
nice thing about this encoding is that a client can implement the old "one
ticket at a time" behavior by just ignoring the generation and taking the
last ticket.

I wanted to call out to cryptographers/analysts that this formalizes the
existing practice (going back to RFC 5077) of having multiple ticket values
tied to the same basic secret (though less so with 1.3 because tickets
issued on connection N+1 don't have the same RMS as those on connection N).
If there is a problem with this, that would be good to know.

Barring major objections, I'll merge this Thursday.


-Ekr