IETF Logo Mail Archive

Re: [TLS] Call for consensus: Removing DHE-based 0-RTT

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 31 March 2016 17:18 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC42812D6BD for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 10:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.841
X-Spam-Level:
X-Spam-Status: No, score=-1.841 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l_-jgRHgingW for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 10:18:44 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98BB212D69E for <tls@ietf.org>; Thu, 31 Mar 2016 10:18:43 -0700 (PDT)
Received: from [192.168.10.140] ([200.89.69.175]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MRjd7-1aIlLb3oyn-00T0KC; Thu, 31 Mar 2016 19:18:39 +0200
To: Eric Rescorla <ekr@rtfm.com>
References: <063B3B0B-B141-459C-890F-9E001655936F@sn3rd.com> <56FD15F6.30305@gmx.net> <CABcZeBN5G7Mo+UGNn=K=_STweziub_zCJsrKER3GZ-XZR_rsgQ@mail.gmail.com> <56FD4360.7010100@gmx.net> <CABcZeBMdFEjgDS=R7d2FeFxDQVUcaprueeWsD=Q_wBnbbEtwFw@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <56FD5BF2.20809@gmx.net>
Date: Thu, 31 Mar 2016 19:18:42 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBMdFEjgDS=R7d2FeFxDQVUcaprueeWsD=Q_wBnbbEtwFw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="RftbGcg9hr4EPKuM3pGXNOHOsQIG6gcVb"
X-Provags-ID: V03:K0:LihfC5HxymHc1oh6INTNnl4Igm3wzSRecoZ17VuHQ3Adx36V9hm bT1JQntBpT7XODRzKlOLTyV4kVrCI04ONYgipNk/9Ev2iCKpGO/fl29kX6lYE8patLQXYf3 mTajrNkRtjwlEg25IHcqAnjc+N1tjMOBlcAau38+8gPQYnxQMct0WL5HsYPJY9WVZLiWrrj 20TBWY3/NhVa3srB4TAdA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:523ax/lFsr0=:UtdYPdo2E12voxta+1GWQk UW3MAdiqcvIVsR+4Fc0y5O3uwV3ZV1w+U2hIpqhjxk7mWI82nu3gr97zNoZMDwb3XIx2O5BFi MjIt0IxqTTebP19GmGKGl7BFAZgv7qBqV5dKtzOWi9GRtv4qdu4whqC5voVxDrhIL2E/pcF5X ilP3eGdGeiMwYh88boqKuhUUUhbMO90gLovJP7qwJjHqLG3nHldhFQMaB6hPnJAGqwJYpvfPP MaXJMlLDSX2QvrI/YBrOcOMAI0eeA4SttxKIs46Da4kzp1DJif0AEqqe2R0dMjBELmz1CoVha nJWXXKl8iCJr3l0XRASdQ6S7Ixuy5n7lwY4kDi3YhH/icCTqnuGv5I/+TDkiWboRQuz2zxxw5 pc89LqOpMxybU6YHKOHmRzN37K8iX4R33vp+/+dBEFhxiEEMncJR0z4izqjDpOQQqXc3mHRa6 l1fs8a9qi7Tw2YsuZz4a6cPipwYfcJEOUjiX77UzORXubfu7umkkum7ngySkliowJqrADaYAt 9puQoRJG1UOm3Ixda35KGmAPvEIoUyAskzU5PLzhUJiPrKxhkFDOSb1mSuxs+tIdU2UWZy63Q HIIxRjYtYC0GeQbUht/OiO808xJCyyEuy7rRLkQrWFF7Ezj0HeqfahYJd56dFeKZipOGLePcK owyFOzEcgEIoEZvz5GhIl7yUcYDSf2p579MewvjXRtUkFkbQY8U8wiTkc4wI3UovrltdiabYv +v4E5NpVQeVOWU87Wpunc96qf+dSji0kDcQx2LvCKQTK7oMaKnDWcxe439g=
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Wi0BK8WTsHOwMH96csJOZiDX2FE>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing DHE-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 17:18:46 -0000

Hi Ekr,


>     > The only way to do 0-RTT would be with a PSK (in both PSK and
>     > PSK-(EC)DHE modes).
> 
>     I see. This is, of course, a bit unfortunate.
> 
> 
> Can you expand on why? The general sense of the discussion was that they
> offered similar properties.
>  

The PSK-ECDHE mode is less useful for the IoT space because you get the
overhead of the public key crypto without actually most of the benefits.
If you already go that step then I would recommend to use raw public
keys instead.

But since you clarified the question about the use of out-of-band
provisioned PSKs below it just means that someone using public key-based
authentication will have more roundtrips (compared to the PSK case).

> 
> 
>     > However, this would include PSKs established via a previous session,
>     > i.e., resumption-PSK.
> 
>     Only established in previous sessions or also distributed out-of-band
>     (as it would be done with PSKs normally). The way you phrased it sounds
>     like you want to exclude the out-of-band case and I wonder why.
> 
> 
> No, the out-of-band case is fine.
Ok. Good.

> 
> -Ekr

Ciao
Hannes

v2.23.0 | Report a Bug | By Email