Re: [TLS] 0RTT?

Watson Ladd <watsonbladd@gmail.com> Tue, 05 August 2014 01:52 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECB61A0AE2 for <tls@ietfa.amsl.com>; Mon, 4 Aug 2014 18:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1DgD-P_rMW-o for <tls@ietfa.amsl.com>; Mon, 4 Aug 2014 18:52:31 -0700 (PDT)
Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E72D21A0AD9 for <tls@ietf.org>; Mon, 4 Aug 2014 18:52:30 -0700 (PDT)
Received: by mail-yk0-f176.google.com with SMTP id 19so190937ykq.35 for <tls@ietf.org>; Mon, 04 Aug 2014 18:52:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=I+nPrODDyjUPmBkWaHJHePb/bAP3EN0pc0EhXogQeXg=; b=IkhyVmhMKxHNF/vbt3BWP/9Qqs8AW0oU7w51JRghXFbvHPKJtf7ozROFPSypqwey6A Jpm83hIrBXB8BE77ArCpk1AuYz0ZDiCh7UW/4wA/wKQKJbpPVnXw+jYXRo/h+Efyc35G dYRWwn3jpuGuaYrfgT2Tci3LhXwvcGKol1V9rMzUPhXbHm4jQV1M1oAr2l7M67vVs9pP DcmrXBUYfN2e4O+bWi8VndTV249hEA0az/e++ze8/3B0qpp6kpTgX5ZKqP80EDrDvgBJ TYyCHUcAYGHKWP5fenvK1Tr2XkHwd9ctRgp4hgiAvvXFiITY/dCVAQc8rR2EKW1R4Z2M D76Q==
MIME-Version: 1.0
X-Received: by 10.236.35.198 with SMTP id u46mr954836yha.54.1407203550292; Mon, 04 Aug 2014 18:52:30 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Mon, 4 Aug 2014 18:52:30 -0700 (PDT)
In-Reply-To: <20140804210102.706EA1ADEE@ld9781.wdf.sap.corp>
References: <CACsn0c=wUvV1M0kZ2y6OcC_UPoRtBRz1Nh_zb_sLYamozoPrpw@mail.gmail.com> <20140804210102.706EA1ADEE@ld9781.wdf.sap.corp>
Date: Mon, 4 Aug 2014 18:52:30 -0700
Message-ID: <CACsn0c==j7j+e8MPXvrOz816y=SQjxSDoDhWjoaY3V8bLofQHA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/WQOasVbPOJmirBiunlTitzyWk88
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 01:52:32 -0000

On Mon, Aug 4, 2014 at 2:01 PM, Martin Rex <mrex@sap.com> wrote:
> Watson Ladd wrote:
>>
>> I think I came up with a decent idea for handling 0RTT handshakes,
>> namely making resumption 0RTT, and doing a side rekeying.
>
>
> These idea(s) seem to based on a number of extremely optimistic
> assumptions that have zero chance to get airborne in many usage
> scenarios.
>
> The "regular" TLS session resumption means that client announces
> a TLS session ID in ClientHello and server looks up that session ID
> in its own cache for a match.  If there is no match, a regular
> TLS full handshake proceeds.
>
> 0RTT is a no-go for a huge number of existing apps which do not
> perform any fancy reconnect fallbacks at the application level
> (closing the previous connection, opening a new connection and
> starting a new handshake from scratch while requesting different
> handshake characteristics this time).  For the general case
> a 1RTT resumption is required, which can successfully perform
> a full handshake in case that resumption is not possible,
> without having to go through a connection/handshake failure.

I think we can handle this by thinking about fallback options more
carefully. Certainly a resend can be done at the implementation level
with the new handshake: this will cost latency, but it can be done.

Sincerely,
Watson Ladd