IETF Logo Mail Archive

Re: [TLS] Separate APIs for 0-RTT

David Benjamin <davidben@chromium.org> Wed, 14 June 2017 23:38 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5BB0129420 for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 16:38:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0l2ku6d1UREm for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 16:38:26 -0700 (PDT)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2487212871F for <tls@ietf.org>; Wed, 14 Jun 2017 16:38:26 -0700 (PDT)
Received: by mail-pg0-x22f.google.com with SMTP id a70so6677466pge.3 for <tls@ietf.org>; Wed, 14 Jun 2017 16:38:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=W/ch4x7WpUMwdoeLYCJggf2iI1baIlWb5m9pkfDxxL4=; b=OB82NjA3oQskMeVi/gUbU6PBTGPryAcoDbuhTtDcYIyuaP/Mz+/m1/Efe+m59dnJU5 4STmN7XiwsTbWZpC8Yk2TKGCeRrqPRe6Qv/4dy6tRoq9N6RMp77dsTgxQF6uDYLdtrbM Nt9poYjva5Jx7cORvwdOsx3KSbG8o/zIVAyKc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=W/ch4x7WpUMwdoeLYCJggf2iI1baIlWb5m9pkfDxxL4=; b=PoqvcL3RmnoP+NBSyQ3kms8q2DQZTmLAOEJvSx1lkmf4yVegHJOJcIGdKk/F2NZbZE fYEsFYH5nmTzPFw6jIK9uWbd831Y6VPM4LcndVA+Jq5mxJ4GT7qqtG7i4LjNu/fQkEQ3 G4umzh/jOjIG3A8mMBk7wh68Zh67ScIGHtkeOKJa9vZnwdoqKgLNq3nRT/t/tIl1knNt e5j/IoqsZHJAHMnF65xv0De/hTi4x9IzQdSNIDy776rY87L8ctXo6yM3R00fb9FQkIsp 1P6G3nWzsLYbMJoyLuHlSi7Er5wlkTsDJZPVkQxDrIgrekhHp1DYKShTZykXCeRlT/7s IcIg==
X-Gm-Message-State: AKS2vOzMs00hwK/adDutPGR13OcXeAzqHUb6S7WQ4CoCYOU/Ev9CFyzl cT5acn4aqyTmNneq3mIqT4GLBpd3Wgud
X-Received: by 10.98.89.155 with SMTP id k27mr2300953pfj.70.1497483505641; Wed, 14 Jun 2017 16:38:25 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMpeBhcKoJYuMwLyER0VBh+RtVr6amWMPos3CJipXYHcA@mail.gmail.com> <DM2PR21MB00916718A71749E5D2CB19C38CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <CABcZeBO+Qprg4DTwNJrFU1PXDPyKbbdakMrF9fhe02jRL50cow@mail.gmail.com> <8e206c83-645f-6389-a7bd-ddd51e747ea2@akamai.com> <CAAF6GDfyqMndibTujY83_Xha2dZn7qvaCpZJw7xZ--b=-EOaYA@mail.gmail.com> <bf4506e7-13ce-ce7f-d20e-67a0d73c642a@akamai.com> <CAAF6GDePg9FL0JgzrWrTcrK7X=J0_fKjHVCj9EScvyQobJWTKA@mail.gmail.com> <20170613183536.GA12760@LK-Perkele-V2.elisa-laajakaista.fi> <63c8ac33-489c-0ace-d4ba-b960cd965281@akamai.com> <DM2PR21MB0091B8DC8780B4FA67464F0A8CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <20170613205530.GB13223@LK-Perkele-V2.elisa-laajakaista.fi> <e5ab9945-054b-67bf-beef-9fce7a4a6f36@nic.cz> <CAF8qwaCuDk3oemXeKyEzzRgg2oCMA22qMBXQaL4YW3yWAeXUvA@mail.gmail.com> <DM2PR21MB009176844759F65141E1D6EA8CC30@DM2PR21MB0091.namprd21.prod.outlook.com> <CAF8qwaCwHYJP3p569CAN-9Fmd_ddDjg9d9wPi8j3uSrno_wHyw@mail.gmail.com> <CAAF6GDfRJKgCbSW+eRpmkRSWQ0tz5-h12BxRB+gSGQk=0i-VFA@mail.gmail.com> <CAF8qwaCJDeKO8xeqrw2=yA5zNKVFr_SbsL8FobqfjO_1Yj4LSw@mail.gmail.com>
In-Reply-To: <CAF8qwaCJDeKO8xeqrw2=yA5zNKVFr_SbsL8FobqfjO_1Yj4LSw@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 14 Jun 2017 23:38:15 +0000
Message-ID: <CAF8qwaBPAnZtyTuiDYoErOAe6qT6u5XQZ1kQ91W0uxJxjHFhPg@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, Petr Špaček <petr.spacek@nic.cz>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1149229e698a200551f40c1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VZnOT-UKIsAeS_C1d_KmhRZtS8g>
Subject: Re: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 23:38:29 -0000

On Wed, Jun 14, 2017 at 7:31 PM David Benjamin <davidben@chromium.org>
wrote:

> On Wed, Jun 14, 2017 at 6:47 PM Colm MacCárthaigh <colm@allcosts.net>
> wrote:
>
>> On Wed, Jun 14, 2017 at 3:23 PM, David Benjamin <davidben@chromium.org>
>> wrote:
>>
>>> That is, it is not the identity of the bytes that matters much. It's
>>> whether the connection has been confirmed when you perform an unsafe
>>> action. I believe this still satisfies the properties we want, but without
>>> breaking standard interfaces. Very near the TLS stack, at the point where
>>> the record boundary abstraction starts leaking (it's common to only give
>>> you back a single record on read), either API is equally easy to provide.
>>> The looser phrasing is needed for composition once you start going up a
>>> layer or to.
>>>
>>
>> Suppose a request, or a frame, spans two different client certificate
>> authentication contexts (or unauthenticated, and authenticated); how is
>> that handled today? or is it just forbidden?
>>
>
> In TLS 1.2, that would require renegotiation, which is not allowed in
> HTTP/2. Our client and server implementations enforce this, for this and
> other reasons.
> http://httpwg.org/specs/rfc7540.html#rfc.section.9.2.1
>
> Sadly, in Chrome as an HTTP/1.1 client, we are stuck with supporting this
> mess, so we allow it at HTTP/1.1, but we will only accept client
> certificate requests between request and response and further forbid all
> handshake/application interleave. HTTP/1.1 without pipelining is just
> barely simple enough that one can get away with all this. (In all other
> cases, BoringSSL does not support renegotiation at all.)
>
> The mess around trying to make byte boundaries semantically meaningful is
> why I'd previously advocated leaving TLS 1.3 post-handshake auth to the
> application profile, and why I advocated that it never be allowed in
> HTTP/2. HTTP/2 should use something at its layer, possibly leaning on
> exported authenticators. We have no plans to implement TLS 1.3
> post-handshake auth in BoringSSL, but if we were ever to implement it, it
> would likely be under the same constraints as renegotiation (off by
> default, client-only, HTTP/1.1-only, and only at that one point in the
> protocol with no interleave).
>
> I assume what you're getting at here is that my 0-RTT and post-handshake
> auth preferences are the opposite? :-) That's true. In the post-handshake
> auth case, making the boundary insignificant to the higher-level protocol
> isn't really feasible. Conversely, forbidding 0-RTT with HTTP/2 would be
> rather unfortunate. But it seems the tight synchronization is not needed
> here, so we don't need to go that route.
>

I should probably add the two scenarios aren't quite analogous. The 0-RTT
boundary is a problem even in HTTP/1.1-like protocols because there is a
send limit. If you're trying to fit the HTTP/1.1 request before the
boundary, you can't stream it (request body?). The size needs to be known
ahead of time.

David

v2.23.0 | Report a Bug | By Email