Re: [TLS] New Cached info draft

"Brian Smith" <brian@briansmith.org> Wed, 31 March 2010 17:25 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D7F83A6A55 for <tls@core3.amsl.com>; Wed, 31 Mar 2010 10:25:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.644
X-Spam-Level:
X-Spam-Status: No, score=0.644 tagged_above=-999 required=5 tests=[AWL=-0.487, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jm8ejvpj4OsY for <tls@core3.amsl.com>; Wed, 31 Mar 2010 10:25:44 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id 68E063A6B94 for <tls@ietf.org>; Wed, 31 Mar 2010 10:17:56 -0700 (PDT)
Received: from T60 (unknown [70.134.204.209]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 861DF509DF; Wed, 31 Mar 2010 13:18:18 -0400 (EDT)
From: "Brian Smith" <brian@briansmith.org>
To: "'Stefan Santesson'" <stefan@aaa-sec.com>, <tls@ietf.org>
References: <C7D8D7A4.9C4D%stefan@aaa-sec.com> <4BB36FC5.3040209@pobox.com> <4BB37285.5020906@extendedsubset.com>
In-Reply-To: <4BB37285.5020906@extendedsubset.com>
Date: Wed, 31 Mar 2010 12:18:18 -0500
Message-ID: <003501cad0f6$2b4c3fb0$81e4bf10$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQD3PCi3D0f3Jturskef2KINR30JKAHKu56TAa/xh04BZOPNvw==
Content-Language: en-us
Subject: Re: [TLS] New Cached info draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2010 17:25:45 -0000

Marsh Ray wrote:
> On 3/31/2010 10:52 AM, Michael D'Errico wrote:
> > I haven't been able to totally keep up with the progress of this draft
> > or to follow the discussion, but I think it's a bad idea to
> > artificially limit the size of anything to 1024 bytes.

> I think in this case it's saying there can be a maximum of 1024 entries in
the list,
> each of which can take up to 9 bytes (with a one byte length). So the
receiver of
> this structure is only obligated to store (or ignore) (2 + (1 + 8)*1024)
bytes of
> data.

No, Mike is right and I was wrong; <1024> means "1024 bytes," not "1024
entries.

> > If somebody wants to use small fixed-size buffers, then they can check
> > the length of the vector to see if it will fit.  If it won't fit, then
> > they have to deal with it somehow.
> 
> What ends up happening in the absence of a defined limit is that products
will
> either be subject to a DOS, or different limits will be imposed by
different
> products which harms interoperability.

Also, there are interoperability problems with fragmented ClientHellos so
the pragmatic total maximum size of a ClientHello is 2^14 bytes. 

Is 1024 bytes is an appropriate limit? Maybe not. First, I think we should
discuss whether/why it is sub-optimal to cache just the most recently
received value of each information item. Then I think it would become clear
whether or not it makes sense for the client to send dozens or hundreds or
more hashes in its ClientHello.

I can see that it might be useful for the client to cache one value of each
cached information item that were obtained during initial (unauthenticated,
unencrypted) handshakes plus another set of values per client certificate
that were obtained during renegotiation following client authentication.
However, in that case, the server probably wouldn't want the client to leak
the hash of its second certificate in subsequent initial (unauthenticated,
unencrypted) handshakes. It seems something about this should be added to
the security considerations of the draft.

If there are other cases where it seems useful to have the client send
multiple hashes for the same information item, then those cases should also
be discussed before publication so that the security properties of that
those kind of usages can be analyzed. For example, I think it is a big
privacy problem to send a digest of a value obtained from one server to
another server.

I think the author, Stefan Santesson, seems to know of some cases where
caching more than one value is useful. Stefan, it would be very helpful if
you could explain when it would be sub-optimal to send only one value per
information item in the ClientHello, and when/why it is not a
security/privacy problem to send a hash to a server that hadn't previously
sent you the value from which that hash was created.

Regards,
Brian