Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt

"Christopher Wood" <caw@heapingbits.net> Mon, 30 September 2019 13:37 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37D89120098 for <tls@ietfa.amsl.com>; Mon, 30 Sep 2019 06:37:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=IdCbc7FZ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=HxzUtvXc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ieXtreLTyqz for <tls@ietfa.amsl.com>; Mon, 30 Sep 2019 06:37:32 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AADB120808 for <tls@ietf.org>; Mon, 30 Sep 2019 06:36:58 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 86BB620CA5; Mon, 30 Sep 2019 09:36:57 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Mon, 30 Sep 2019 09:36:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=op6/zxPFyXbe0DjqO/s55tDbSjg9uPD Jp4j5IdQwNzw=; b=IdCbc7FZc4pFppNNzL/vEiXUgfNLEPycm2WFENyk0NaWUPi kO/KJBl6OBcSrUcjJootRdzrWnLLG0R5/VVhRsAl/z9b9E2ENJo/U/s72HktD4oY xPn/u5Q2bgH7oD6CBTqH6WKwqbjX4g2ZIhJ2kN5+zUjxSb8RkGXLHBUQ4dSTEHyI eFkqlgIiQB/VKr/3zeu0FMP7nzQE/Atv6fJBkfhD9AH74nkBu/FdmFs8ZyyUt0Ym glUWtokiXJRNndHclVQXViyBJVn7fe7rMkY2t/k62Em+VuPSUB1w4s6kR9KTr7bk 4sxNOa3s+cCOp04JiPhj278A253iUwT32ywy7kg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=op6/zx PFyXbe0DjqO/s55tDbSjg9uPDJp4j5IdQwNzw=; b=HxzUtvXcVKxIwUFbmo1jx+ Ui+wRx6cpVr9xApSJbudrGw2s7AZL4obudB8X5dNuM2yf8dFxXmSnhCduD5XEi4A Kzz+X/Gm/y0yk72VtT3IOhsmLWGCx1MLfHtDGaImZXk9w6Gy+qN+Bb4hrAXe83lM e+rw0QQG95peVOaycCSxTR1uU1OUDTUalymwUqOC7/kQHBGPLzgh6DWVmYDsXuFY DyaiB0ymiESjgkDUjG1w6X0YZUj4UGJJYuDaLoklkpFtjMk5ow3nyHF9ajcDF28Q HtOZXW4fe9Pnj2OYcQBUK4CO4AWnYyQU6yt6jO6iQytFe+rwjFeaFnNAD+tAKfQw ==
X-ME-Sender: <xms:-ASSXXtLygaDTwHnoKxnXI-P0Jdt_WM7u4sIA1shsDiXRpx1yrRI9Q>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrgedvgdeifecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfvehhrhhi shhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgv thenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:-ASSXUi4a-XD-LeKuRZ2-4bD1yT953FNrmvyvr7--o_WBtih8PmD9w> <xmx:-ASSXUIta_YYctsTh6IwUQSOJfx84VtAnTO0c8RrZZON6g6o6x74VQ> <xmx:-ASSXeZnu-5Kubp1SpQIbIYqGj0VS10GfhQfO-iJSPT9fHCQ2gpT6A> <xmx:-QSSXV5ayQweWPkApnzAwzgl1RncoyALnyJ9t98gw7ahVEKfF0PeNA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D07C13C00A1; Mon, 30 Sep 2019 09:36:56 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-305-g4111847-fmstable-20190924v1
Mime-Version: 1.0
Message-Id: <62ee0774-5667-43a3-b5fa-144d52c04c4d@www.fastmail.com>
In-Reply-To: <1765606.IRqicVgrGs@pintsize.usersys.redhat.com>
References: <156962803631.24993.3421537129925787732@ietfa.amsl.com> <8c2b10b3-bfc2-44b0-997a-1cab0789f1b7@www.fastmail.com> <1765606.IRqicVgrGs@pintsize.usersys.redhat.com>
Date: Mon, 30 Sep 2019 06:36:36 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: "Hubert Kario" <hkario@redhat.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XLHpHuievkbjfFldkzCyu7XDZgw>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 13:37:34 -0000

On Mon, Sep 30, 2019, at 6:28 AM, Hubert Kario wrote:
> On Saturday, 28 September 2019 01:59:42 CEST Christopher Wood wrote:
> > This version addresses some of the comments we received from Hubert a while
> > back. We think it's ready to go for WGLC, modulo whatever nits folks find.
> > :-)
> 
> I still see the "vend" instead of "send" typos... Same for "vended"

It's not a typo! We chose to use vend.

> 
> ```
>       Clients must therefore
>       bound the number of parallel connections they initiate by the
>       number of tickets in their possession, or risk ticket re-use.
> ```
> 
> I'm not a native speaker, but shouldn't it be "...therefore bind the 
> number..."?

Yes, we can fix it in the next version.

> 
> ```
> Servers MUST NOT send more than 255 tickets to clients.
> ```
> 
> per what? session? at a time? connection?

This is all per session. We can state it explicitly in the next version.

> what's the expected behaviour with tickets and post-handshake authentication?
> Are tickets sent after PHA also bound by this limit?

As mentioned earlier, there is no effect, so we left it out. We're happy to accept text should you think it's needed.

> ```
>    Clients MUST NOT change the value of TicketRequestContents.count in
>    second ClientHello messages sent in response to a HelloRetryRequest.
> ```
> 
> 'A server MUST abort the connection with an "illegal_parameter" if the value 
> of the extension changed, it was added or removed in second ClientHello.' ?

I don't think this is necessary.

Best,
Chris