[TLS] PR #493: Multiple concurrent tickets
Eric Rescorla <ekr@rtfm.com> Sat, 04 June 2016 15:52 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 856C5128E19 for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 08:52:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xNUzQWZ-W_Bu for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 08:52:03 -0700 (PDT)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A6C712D1D5 for <tls@ietf.org>; Sat, 4 Jun 2016 08:52:03 -0700 (PDT)
Received: by mail-yw0-x22a.google.com with SMTP id c127so106184205ywb.1 for <tls@ietf.org>; Sat, 04 Jun 2016 08:52:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=AZqptI3xWArA1KCXzdMO6/hiEdUO/k6Yakh0/AA0hJM=; b=OBpQi31T3Dc1IAXrY3VAwWHPKT468II4v7A7Xf1utamwJnBElVk7yZ5o7i+cHclvag mIBClc6TZRwjBTkWhtnny3aODAjjk9DXFJV/R42g8VdGboDKp/HHEGoaYdOyW1Z3tz/R 8j31WJbZWSc1kEDLS2Lgx45AmoAw+BjmroVIHFwewbqCiuvN2LpGoSRs3y4mIaYUKZ8J w5aAHEAHWHYQhA/SetoeosJ+mcNctxSo4vT3O5rkrwhtGbV82xCx1htYZcCe8qZPQGvF KJbsF0I//0qdnMexVi71vssfFiXCjLtEErfBKKljcU5uL8ZwpsSYTz5fiPQX1VQE14VS Xlbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=AZqptI3xWArA1KCXzdMO6/hiEdUO/k6Yakh0/AA0hJM=; b=DtL9r1wU+QmfCd5DRTNAIzDsuA2SU6xwXHX7L+3iwxV7gvOn2qX3B0JNjd6Ei/PMez Yo7jtmAEPufwqQrLznaDpvx1xBUsYNI+c3YtRIXOiY36vrkAmin4kgp8MVZ8lpVRfRJz AB9mOzT6FhmAwFjh89JCujyos2Gek7do//6FrF1tjgaqPQ9lnTRu/CxcMxZsB1XllMB9 8iqb6VD5fatEKZxhPrszezQtqDQureCi9vhw+qLrOIMNRTe068B+hQDGnQyqJHXh60Hl deNzvuD3ESReUQK/6ItnRrRcVCIilr/8eTsSghxexqlCVlOBMmMqVOPqjy3z1yIugnyX vC/Q==
X-Gm-Message-State: ALyK8tLmJLunoe9vyJTPI6Q0Zv0EwUzc4Xv8uWqGJJP/yiVRoTTZyeGIztzXFNwLokp+9TaH8nj1Tp2F2oxmVw==
X-Received: by 10.13.233.1 with SMTP id s1mr6108857ywe.286.1465055522659; Sat, 04 Jun 2016 08:52:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.230.76 with HTTP; Sat, 4 Jun 2016 08:51:23 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 04 Jun 2016 08:51:23 -0700
Message-ID: <CABcZeBMo9U7_wZeXpEosPFa4KiC4eq3LGOvDtSAy5NNz7jc0dQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c07cfb4018b59053475d225"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/TfVK8PqK_t3lUa4UBjAu2TriJ84>
Subject: [TLS] PR #493: Multiple concurrent tickets
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2016 15:52:05 -0000
https://github.com/tlswg/tls13-spec/pull/493 Currently the server can send multiple tickets but we don't say anything about the semantics. So, say a server sends tickets T_1, T_2, T_3... T_n, and the client wants to initiate m < n connections, should he use: - only T_n - T_1...T_m - T_n, T_n-1, ... T_n-m+1 The intuition I have had is that we want the third option (latest wins, but allow multiples for linkability) but the spec doesn't say and there aren't any semantics that tell you, so I think we want some way for the server to say "these group of tickets are all co-valid". I've just created PR#493, which provides an explicit mechanism for this, "ticket generations". Tickets with the same generation M are co-valid and a ticket with generation N expires all tickets with generation M < N. The nice thing about this encoding is that a client can implement the old "one ticket at a time" behavior by just ignoring the generation and taking the last ticket. I wanted to call out to cryptographers/analysts that this formalizes the existing practice (going back to RFC 5077) of having multiple ticket values tied to the same basic secret (though less so with 1.3 because tickets issued on connection N+1 don't have the same RMS as those on connection N). If there is a problem with this, that would be good to know. Barring major objections, I'll merge this Thursday. -Ekr
- [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Yaron Sheffer
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets David Benjamin
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Jim Schaad
- Re: [TLS] PR #493: Multiple concurrent tickets David Benjamin
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Kyle Rose
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Kyle Rose
- Re: [TLS] PR #493: Multiple concurrent tickets Antoine Delignat-Lavaud
- Re: [TLS] PR #493: Multiple concurrent tickets Felix Günther