IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt

Hubert Kario <hkario@redhat.com> Fri, 04 October 2019 16:44 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C62841200A1 for <tls@ietfa.amsl.com>; Fri, 4 Oct 2019 09:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AkziFqWVcVlr for <tls@ietfa.amsl.com>; Fri, 4 Oct 2019 09:44:14 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE464120048 for <tls@ietf.org>; Fri, 4 Oct 2019 09:44:13 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7B76B309BF23; Fri, 4 Oct 2019 16:44:13 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.184]) by smtp.corp.redhat.com (Postfix) with ESMTP id CF3E110018F8; Fri, 4 Oct 2019 16:44:12 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Fri, 04 Oct 2019 18:44:06 +0200
Message-ID: <5308311.VbF7qBjPJL@pintsize.usersys.redhat.com>
In-Reply-To: <F21EF885-96B5-411F-B79D-87EEB9B046B6@dukhovni.org>
References: <156962803631.24993.3421537129925787732@ietfa.amsl.com> <c301f241-33fb-48f3-a55f-b53824180be2@www.fastmail.com> <F21EF885-96B5-411F-B79D-87EEB9B046B6@dukhovni.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2678527.Yuvi7abKi2"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Fri, 04 Oct 2019 16:44:13 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TyZvOs7p70p2T_UGu3Tsi8Ip5iY>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Oct 2019 16:44:17 -0000

On Thursday, 3 October 2019 05:44:27 CEST Viktor Dukhovni wrote:
> > On Oct 2, 2019, at 11:20 PM, Christopher Wood <caw@heapingbits.net> wrote:
> > 
> > Asking for one upon resumption seems reasonable to me. Thanks to you and
> > Viktor for bringing up this case!
> Thanks!  Much appreciated.
> 
> My other point, which I probably obscured in too many words, is
> that a client that prefers to re-use existing tickets, would
> normally want to ask for 0 new tickets, but this should not
> necessarily preclude the server from issuing one *as needed*
> (STEK rollover, ...).
> 
> So there is a difference between a signal that tickets
> are simply not wanted, vs. wanted only *as needed*.
> 
> Do you have any thoughts on how a client might signal this?
> 
> The use-case is clients and servers that don't make use of
> early-data, and don't need to avoid traffic analysis.  For
> example, MTA-to-MTA traffic, where the client even identifies
> in clear text with "EHLO".  Here ticket reuse is the norm,
> and renewal is only needed as tickets age.
> 
> [ I hope I managed an suitably concise description this time... ]

Well, the client doesn't have any feedback from server that the server 
supports this extension so it will need to be able to handle tickets anyway. 
It can't use this extension to disable sending of tickets.

now, we may say in the text, that's it's recommended for the server to still 
send them in case of resumption and STEK rollover of PHA, but I'm not sure if 
we're not too far into the weeds...
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email