IETF Logo Mail Archive

Re: [TLS] Separate APIs for 0-RTT

David Benjamin <davidben@chromium.org> Wed, 14 June 2017 23:31 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 979521270FC for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 16:31:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Us_w2EurLTF for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 16:31:31 -0700 (PDT)
Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 316241200CF for <tls@ietf.org>; Wed, 14 Jun 2017 16:31:31 -0700 (PDT)
Received: by mail-pf0-x236.google.com with SMTP id x63so7426777pff.3 for <tls@ietf.org>; Wed, 14 Jun 2017 16:31:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5yx8/6GFKiSSM9wFO3n2uyJGJnzzpRKrIGWzSDGTBYE=; b=H0BWSF+4cQu84Uq2jYfZmrQdTFFAFoLJZZnVyKnU2wB1RZXxsg7QU5m6rb0vWR8Ig4 yAQMwLkP8QxmomKo/cNRJbpzzj3Q8bvXYHBfNnaJufy+PdN3BP/5tQQVSS4EobyTu0jy QxCVQxBRKkPvjrapy6HL1r/E1hGmD3neqe5I0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5yx8/6GFKiSSM9wFO3n2uyJGJnzzpRKrIGWzSDGTBYE=; b=JfBVM+QoI8qPf7HYWinO5VZzWc1Wla33UP+o86GHV+qPBwnO/tHHatM9ca0pr3cm9v bDutiG3y4HrsGkZfO/Rtgf5Rs2xT4fU5LhyvCzNTgQdpaAChMngo/Gz9SmUufApKlpFn iKcl/TNlrd3p9k+e7jFP0hsEwaeeU77GVLUtuxHr1bSvrVKr5ig2tlI31xFxwCJIdNYS G8qcUlV74OSx2wPJ+Td1WPi4hxWORn1S8eQcypyejZtvPXqSIbCbQL4bMgDAF+aeImPr br8Em4NfB+XE4Yuq8214JlvMUMM2gb1Pz9fjOUFsAus/4udp1MfbQf0qmvLfTTJQUaNb OHQA==
X-Gm-Message-State: AKS2vOzokVxAbY1PChQbq7WALvj6u8ACx9ZNu0poXjrGMtqFqwAi/gHO udTC1iIF0g31VtIKERavHceNizp7T3H9
X-Received: by 10.84.136.129 with SMTP id 1mr2682586pll.213.1497483090667; Wed, 14 Jun 2017 16:31:30 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMpeBhcKoJYuMwLyER0VBh+RtVr6amWMPos3CJipXYHcA@mail.gmail.com> <DM2PR21MB00916718A71749E5D2CB19C38CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <CABcZeBO+Qprg4DTwNJrFU1PXDPyKbbdakMrF9fhe02jRL50cow@mail.gmail.com> <8e206c83-645f-6389-a7bd-ddd51e747ea2@akamai.com> <CAAF6GDfyqMndibTujY83_Xha2dZn7qvaCpZJw7xZ--b=-EOaYA@mail.gmail.com> <bf4506e7-13ce-ce7f-d20e-67a0d73c642a@akamai.com> <CAAF6GDePg9FL0JgzrWrTcrK7X=J0_fKjHVCj9EScvyQobJWTKA@mail.gmail.com> <20170613183536.GA12760@LK-Perkele-V2.elisa-laajakaista.fi> <63c8ac33-489c-0ace-d4ba-b960cd965281@akamai.com> <DM2PR21MB0091B8DC8780B4FA67464F0A8CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <20170613205530.GB13223@LK-Perkele-V2.elisa-laajakaista.fi> <e5ab9945-054b-67bf-beef-9fce7a4a6f36@nic.cz> <CAF8qwaCuDk3oemXeKyEzzRgg2oCMA22qMBXQaL4YW3yWAeXUvA@mail.gmail.com> <DM2PR21MB009176844759F65141E1D6EA8CC30@DM2PR21MB0091.namprd21.prod.outlook.com> <CAF8qwaCwHYJP3p569CAN-9Fmd_ddDjg9d9wPi8j3uSrno_wHyw@mail.gmail.com> <CAAF6GDfRJKgCbSW+eRpmkRSWQ0tz5-h12BxRB+gSGQk=0i-VFA@mail.gmail.com>
In-Reply-To: <CAAF6GDfRJKgCbSW+eRpmkRSWQ0tz5-h12BxRB+gSGQk=0i-VFA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 14 Jun 2017 23:31:19 +0000
Message-ID: <CAF8qwaCJDeKO8xeqrw2=yA5zNKVFr_SbsL8FobqfjO_1Yj4LSw@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, Petr Špaček <petr.spacek@nic.cz>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1196aaad8c7f0551f3f371"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ypt1Vkq0F8Ji0cG8rc43_k4utfQ>
Subject: Re: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 23:31:34 -0000

On Wed, Jun 14, 2017 at 6:47 PM Colm MacCárthaigh <colm@allcosts.net> wrote:

> On Wed, Jun 14, 2017 at 3:23 PM, David Benjamin <davidben@chromium.org>
> wrote:
>
>> That is, it is not the identity of the bytes that matters much. It's
>> whether the connection has been confirmed when you perform an unsafe
>> action. I believe this still satisfies the properties we want, but without
>> breaking standard interfaces. Very near the TLS stack, at the point where
>> the record boundary abstraction starts leaking (it's common to only give
>> you back a single record on read), either API is equally easy to provide.
>> The looser phrasing is needed for composition once you start going up a
>> layer or to.
>>
>
> Suppose a request, or a frame, spans two different client certificate
> authentication contexts (or unauthenticated, and authenticated); how is
> that handled today? or is it just forbidden?
>

In TLS 1.2, that would require renegotiation, which is not allowed in
HTTP/2. Our client and server implementations enforce this, for this and
other reasons.
http://httpwg.org/specs/rfc7540.html#rfc.section.9.2.1

Sadly, in Chrome as an HTTP/1.1 client, we are stuck with supporting this
mess, so we allow it at HTTP/1.1, but we will only accept client
certificate requests between request and response and further forbid all
handshake/application interleave. HTTP/1.1 without pipelining is just
barely simple enough that one can get away with all this. (In all other
cases, BoringSSL does not support renegotiation at all.)

The mess around trying to make byte boundaries semantically meaningful is
why I'd previously advocated leaving TLS 1.3 post-handshake auth to the
application profile, and why I advocated that it never be allowed in
HTTP/2. HTTP/2 should use something at its layer, possibly leaning on
exported authenticators. We have no plans to implement TLS 1.3
post-handshake auth in BoringSSL, but if we were ever to implement it, it
would likely be under the same constraints as renegotiation (off by
default, client-only, HTTP/1.1-only, and only at that one point in the
protocol with no interleave).

I assume what you're getting at here is that my 0-RTT and post-handshake
auth preferences are the opposite? :-) That's true. In the post-handshake
auth case, making the boundary insignificant to the higher-level protocol
isn't really feasible. Conversely, forbidding 0-RTT with HTTP/2 would be
rather unfortunate. But it seems the tight synchronization is not needed
here, so we don't need to go that route.

v2.23.0 | Report a Bug | By Email