Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 31 January 2020 22:27 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8DCC12004F for <tls@ietfa.amsl.com>; Fri, 31 Jan 2020 14:27:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2FBLxCB3Jom for <tls@ietfa.amsl.com>; Fri, 31 Jan 2020 14:27:17 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F65912002E for <tls@ietf.org>; Fri, 31 Jan 2020 14:27:17 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id A140F3687D; Fri, 31 Jan 2020 17:27:16 -0500 (EST)
Date: Fri, 31 Jan 2020 17:27:16 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20200131222716.GD49778@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <08A4B0CD-9903-4027-B672-E8C7AFB34B4D@akamai.com> <20200123005528.GA12073@localhost> <CAN2QdAH7t4fPgBfBSO7Ni1As2bVB9QvCw1s9j0ggqvTRUATE8A@mail.gmail.com> <20200123021455.GA73491@straasha.imrryr.org> <87427017-551e-4633-a0d3-75f378879aa9@redhat.com> <20200123124055.GF73491@straasha.imrryr.org> <CACsn0cngxBQTB+Pfw6t_+qsSFb0Kf8mV1U1J1UTsPJiUk=vg0w@mail.gmail.com> <20200123193250.GD12073@localhost> <20200123210151.GG73491@straasha.imrryr.org> <5F5F670C-A0BD-4F38-BEFF-192C171EDAC1@apple.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5F5F670C-A0BD-4F38-BEFF-192C171EDAC1@apple.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YTNGjJDfm9bVNk6TBwPIEPzSbSc>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 22:27:19 -0000

On Fri, Jan 31, 2020 at 09:06:12AM -0800, Tommy Pauly wrote:

> However, for the purposes of the WGLC for this draft,
> draft-ietf-tls-ticketrequests, it may be best to separate the
> conversation. It seems that the negotiation of ticket reuse would be
> best served by another document that could be adopted by the WG. The
> ticket request document, as it was adopted, was specifically a
> mechanism to request multiple tickets so as to *avoid* ticket reuse.

Yes, but the issues DO NOT decouple.  It is a mechanism to communicate
the client's ticket requirements to the server.  Many clients will
want multiple tickets unconditionally, some will want none, or only
one as the presented one becomes no longer valid.

The use-case is that the Postfix SMTP server currently always vends
replacement tickets ONLY when expiring.  I'd like to be able to
distinguish between clients that always want fresh tickcets (MUAs)
and clients that don't (MTAs).  This will also reduce ticket reuse.

> This is stated several times in the use cases (section 2) and security
> considerations (section 5). While this does not preclude a future
> extension that negotiates ticket reuse, I believe, as an author, that
> enabling ticket reuse is out of scope of this particular document.

The two extensions will be in conflict.  There's a trivial solution
within the existing extension.  One code of 255 fully addresses the
issue, with no additional document required.

Proliferation of conflicting documents does not help implementors.
Let's address the issue before us in a single document.  Reuse
is not a separate issue, both are just ticket quantity negotiation.

-- 
    VIktor.