Re: [TLS] Draft 18 review : Hello Retry Request and supported groups cache
Eric Rescorla <ekr@rtfm.com> Wed, 23 November 2016 13:10 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2835A129D81 for <tls@ietfa.amsl.com>; Wed, 23 Nov 2016 05:10:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQSbeD2yT2VP for <tls@ietfa.amsl.com>; Wed, 23 Nov 2016 05:10:09 -0800 (PST)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2D7212960D for <tls@ietf.org>; Wed, 23 Nov 2016 05:10:09 -0800 (PST)
Received: by mail-yw0-x22e.google.com with SMTP id a10so10601131ywa.3 for <tls@ietf.org>; Wed, 23 Nov 2016 05:10:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OUXbIB0jTbgIKEfTCIe6D3BdYMM5qX/3Hkh+ojI9cbk=; b=x/3torAdNfICSWLmX0bZnlSsxe4fZbvOlsPn6Rh3dUDskNLvCSnigylvGnHcwPGdTo ADyyX4MUYj9Okce6OaYR2fpOJqpByk/Yv79FYbdRTHecRBhHhRaHn8kq5SHZfbNxRbfd oFtt0YM8Fgo3qmQZbCMPl1O1hdRPKmiJBTnEdydvi6UeBr0ASuPdGjftQPEuMSkjpfRs MoWXii80cwBRrJ9wKoYIKGG8nlWlQM872FH5N1XXnW8h/4oGRBf9bKLJiCBOKzyZGosY tp/+RqOotter6D2IBXJpgdTfQ6CU39km0piQiHL6TrZLs1N7vVJHz5r5U0tn/7n68wwT OMdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OUXbIB0jTbgIKEfTCIe6D3BdYMM5qX/3Hkh+ojI9cbk=; b=UGfe9qaFSFlo4oO4jzl6o7gEI/C8J94uvGgdIBsVm4xE+rYVIH9i/7/2sQFOtewTG6 pgDGDSrEM6lmUYlbWukFUp+2CxaOnDXPKKZX7DAjpdAgQwiOTaFLNcyoV/isX5wpfr7Z zZUCx4iJGa64JeD1YxoT0JpXmwLhiQJ44XHoFRT+6rfmD0aLjINm3e8rMHwPCGEypMxv V/k/2W8W2D5vOmNrChE9vjwPhq7BSfLWjLvtJQfixpGYd/GBdOMIJQd6AaCw46pmcxos IHrPrjp8wv5LmVYR5mfMfQYnUBMohtkO7th3t81qsB3PMB+DpRfCb+6J9ddpAMF5ZoI1 oaHQ==
X-Gm-Message-State: AKaTC007qBsXvemhhFek9H/8xhxnHcS79yfQeShLcaG44/VZNCZ/W1FBPnSVY2k1XpCoy/p0wxmoA/hYI77Cng==
X-Received: by 10.129.53.194 with SMTP id c185mr3092786ywa.205.1479906609089; Wed, 23 Nov 2016 05:10:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.159.141 with HTTP; Wed, 23 Nov 2016 05:09:28 -0800 (PST)
In-Reply-To: <58355120.5030800@ssi.gouv.fr>
References: <20161122190344.GC19978@neoplankton.picty.org> <CANduzxB1+Vw8-uWfbmGauCiK6OMZxO5VogV7e-oB0Ms5uHst8A@mail.gmail.com> <CABcZeBMqBCo9Bc7LXaRTTN0bOhXqku0txLFor+zQ3Zg-7C=E3g@mail.gmail.com> <58355120.5030800@ssi.gouv.fr>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 23 Nov 2016 05:09:28 -0800
Message-ID: <CABcZeBO7t6gG-EKXTZgUUZQJQD77q=iM+AZB0ginu8+zA-dxmg@mail.gmail.com>
To: Olivier Levillain <olivier.levillain@ssi.gouv.fr>
Content-Type: multipart/alternative; boundary="001a11421478bc96000541f79b2c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UxHRPsxhYEY6MuzBwz9NZ1W1NI8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Draft 18 review : Hello Retry Request and supported groups cache
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2016 13:10:11 -0000
On Wed, Nov 23, 2016 at 12:19 AM, Olivier Levillain < olivier.levillain@ssi.gouv.fr> wrote: > Hi, > > >> Being able to send supported_groups does allow a server to choose to > make > >> a tradeoff between an extra round trip on the current connection and its > >> own group preferences. One example where a server might want to do this > is > >> where it believes that X25519 is likely a more future-proof group and > would > >> prefer that, but still believes the client's choice of P256 is suitable > for > >> this connection. Always requiring an extra round trip might end up being > >> expensive depending on the situation so some servers might prefer to > avoid > >> sending an HRR for a slightly more preferred group. > >> > >> I think that requiring the client to maintain state from the > >> supported_groups puts undue requirements on the client, since not all > >> clients keep state between connections, and those that do usually only > keep > >> session state for resumption. > >> > > This matches my view as well. > > > > I agree that the client should not be require to keep state. I do not > > believe that the draft requires this, but if someone thinks otherwise, > > please send a PR to fix. > > > > There were actually two points in my message: > - I was not convinced by this way of signalling a preference without > enforcing it, but I understand that, if we keep supported_groups, it > does not cost much and the client can safely ignore the server sent > extension; > - however, I found strange that the specification stated that the > client could update its view when seeing this extension, but that it was > not stated in the case of an HRR where updating its views of the > servers' preference would clearly be useful for the future. I only > proposed to add the same text "The client MAY update its view of the > server's preference when receiving an HRR, to avoid the extra round trip > in future encounters". > This is is unsafe, because the HRR is unauthenticated. We could update it after the handshake completes, but I think this is obvious enough that it doesn't need to be stated. -Ekr
- [TLS] Draft 18 review : Hello Retry Request and s… Olivier Levillain
- Re: [TLS] Draft 18 review : Hello Retry Request a… Steven Valdez
- Re: [TLS] Draft 18 review : Hello Retry Request a… Eric Rescorla
- Re: [TLS] Draft 18 review : Hello Retry Request a… Olivier Levillain
- Re: [TLS] Draft 18 review : Hello Retry Request a… Eric Rescorla
- Re: [TLS] Draft 18 review : Hello Retry Request a… Olivier Levillain
- Re: [TLS] Draft 18 review : Hello Retry Request a… Eric Rescorla