Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 11 October 2019 03:15 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65E5E1200D7 for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 20:15:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QlJhu5dFhqHG for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 20:15:39 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B1EC120045 for <tls@ietf.org>; Thu, 10 Oct 2019 20:15:39 -0700 (PDT)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id ECBF82B5AA8 for <tls@ietf.org>; Thu, 10 Oct 2019 23:15:37 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <2781261d-bfa2-4c40-9ca4-6a3a1c9266df@www.fastmail.com>
Date: Thu, 10 Oct 2019 23:07:10 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: IETF TLS WG <tls@ietf.org>
Message-Id: <5816BBD1-14EE-4B72-AEC4-AC7D576C4823@dukhovni.org>
References: <156962803631.24993.3421537129925787732@ietfa.amsl.com> <8c2b10b3-bfc2-44b0-997a-1cab0789f1b7@www.fastmail.com> <2781261d-bfa2-4c40-9ca4-6a3a1c9266df@www.fastmail.com>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XGAw6zBoRira7CtWlkns7caa7BA>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 03:15:41 -0000

> On Oct 9, 2019, at 9:04 PM, Martin Thomson <mt@lowentropy.net> wrote:
> 
> I think that the discussion Victor started about the number of tickets you might want to supply being different for a resumed connection is a sensible one, but I would caution against servers making inferences, especially in light of a very clear signal from clients.  Advice for client implementations might be wise, so that servers are less motivated to make these sorts of decisions.

THanks for the above.  I share much the sentiment.  There's
just one thing I see no way to do, without a somewhat more
nuanced interaction between client and server.

  * The client has a what it believes to be a valid ticket
    and is willing to re-use it, and would prefer to avoid
    the cost of replacing it on each resumption.

  * The server is happy to allow re-use of still valid
    tickets by clients, but needs to know whether the
    client wants a new ticket (because it never re-uses).

  * The server would like to vend a new ticket only when the
    old one needs to be refreshed (ticket lifetime or STEK
    rotation).

In the context of the draft as-is, such a client and server
have a time arriving at a mutually compatible configuration.

  1. If the client requests zero tickets, the server might
     decide the client never wants tickets.  Perhaps here,
     we could say that if the client in fact presented a
     resumption PSK, then it should get zero tickets most of
     the time, but 1 if the ticket needs to be replaced.

     [ This may not quite work right if the presented resumption
       PSK turned out to already be expired and a full handshake
       took place.  In that case the server may not retain any
       knowledge of the original resumption attempt by the time
       the handshake is complete. And for PSKs that fail to
       decrypt, it may not be possible to know whether the PSK
       even was a ticket-based resumption attempt or not. ]

  2. If the client requests one ticket, the server can't
     distinguish between clients that want 1-to-1 replacement,
     because they implement single-use, and those that only want
     one if needed.

  3. When a client gets a new ticket, it has no idea whether the
     original one is still valid, and so must discard the old and
     switch to the new.  So servers that vend a new ticket each
     time force clients to constantly update their ticket store,
     which is sometimes problematic.

Therefore, I am trying to see whether there's a bit of wiggle-room
here for better coordination between server and client.

The simplest I've been able to come up with is to make 0 mean
send no tickets, and 1 mean send 1 as needed, and for n >= 2,
mean send n-1 unconditionally.  But perhaps some else has a
more elegant design that addresses the above?

-- 
	Viktor.