Re: [TLS] Separate APIs for 0-RTT
David Benjamin <davidben@chromium.org> Wed, 14 June 2017 23:31 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 979521270FC for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 16:31:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Us_w2EurLTF for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 16:31:31 -0700 (PDT)
Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 316241200CF for <tls@ietf.org>; Wed, 14 Jun 2017 16:31:31 -0700 (PDT)
Received: by mail-pf0-x236.google.com with SMTP id x63so7426777pff.3 for <tls@ietf.org>; Wed, 14 Jun 2017 16:31:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5yx8/6GFKiSSM9wFO3n2uyJGJnzzpRKrIGWzSDGTBYE=; b=H0BWSF+4cQu84Uq2jYfZmrQdTFFAFoLJZZnVyKnU2wB1RZXxsg7QU5m6rb0vWR8Ig4 yAQMwLkP8QxmomKo/cNRJbpzzj3Q8bvXYHBfNnaJufy+PdN3BP/5tQQVSS4EobyTu0jy QxCVQxBRKkPvjrapy6HL1r/E1hGmD3neqe5I0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5yx8/6GFKiSSM9wFO3n2uyJGJnzzpRKrIGWzSDGTBYE=; b=JfBVM+QoI8qPf7HYWinO5VZzWc1Wla33UP+o86GHV+qPBwnO/tHHatM9ca0pr3cm9v bDutiG3y4HrsGkZfO/Rtgf5Rs2xT4fU5LhyvCzNTgQdpaAChMngo/Gz9SmUufApKlpFn iKcl/TNlrd3p9k+e7jFP0hsEwaeeU77GVLUtuxHr1bSvrVKr5ig2tlI31xFxwCJIdNYS G8qcUlV74OSx2wPJ+Td1WPi4hxWORn1S8eQcypyejZtvPXqSIbCbQL4bMgDAF+aeImPr br8Em4NfB+XE4Yuq8214JlvMUMM2gb1Pz9fjOUFsAus/4udp1MfbQf0qmvLfTTJQUaNb OHQA==
X-Gm-Message-State: AKS2vOzokVxAbY1PChQbq7WALvj6u8ACx9ZNu0poXjrGMtqFqwAi/gHO udTC1iIF0g31VtIKERavHceNizp7T3H9
X-Received: by 10.84.136.129 with SMTP id 1mr2682586pll.213.1497483090667; Wed, 14 Jun 2017 16:31:30 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMpeBhcKoJYuMwLyER0VBh+RtVr6amWMPos3CJipXYHcA@mail.gmail.com> <DM2PR21MB00916718A71749E5D2CB19C38CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <CABcZeBO+Qprg4DTwNJrFU1PXDPyKbbdakMrF9fhe02jRL50cow@mail.gmail.com> <8e206c83-645f-6389-a7bd-ddd51e747ea2@akamai.com> <CAAF6GDfyqMndibTujY83_Xha2dZn7qvaCpZJw7xZ--b=-EOaYA@mail.gmail.com> <bf4506e7-13ce-ce7f-d20e-67a0d73c642a@akamai.com> <CAAF6GDePg9FL0JgzrWrTcrK7X=J0_fKjHVCj9EScvyQobJWTKA@mail.gmail.com> <20170613183536.GA12760@LK-Perkele-V2.elisa-laajakaista.fi> <63c8ac33-489c-0ace-d4ba-b960cd965281@akamai.com> <DM2PR21MB0091B8DC8780B4FA67464F0A8CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <20170613205530.GB13223@LK-Perkele-V2.elisa-laajakaista.fi> <e5ab9945-054b-67bf-beef-9fce7a4a6f36@nic.cz> <CAF8qwaCuDk3oemXeKyEzzRgg2oCMA22qMBXQaL4YW3yWAeXUvA@mail.gmail.com> <DM2PR21MB009176844759F65141E1D6EA8CC30@DM2PR21MB0091.namprd21.prod.outlook.com> <CAF8qwaCwHYJP3p569CAN-9Fmd_ddDjg9d9wPi8j3uSrno_wHyw@mail.gmail.com> <CAAF6GDfRJKgCbSW+eRpmkRSWQ0tz5-h12BxRB+gSGQk=0i-VFA@mail.gmail.com>
In-Reply-To: <CAAF6GDfRJKgCbSW+eRpmkRSWQ0tz5-h12BxRB+gSGQk=0i-VFA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 14 Jun 2017 23:31:19 +0000
Message-ID: <CAF8qwaCJDeKO8xeqrw2=yA5zNKVFr_SbsL8FobqfjO_1Yj4LSw@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, Petr Špaček <petr.spacek@nic.cz>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1196aaad8c7f0551f3f371"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ypt1Vkq0F8Ji0cG8rc43_k4utfQ>
Subject: Re: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 23:31:34 -0000
On Wed, Jun 14, 2017 at 6:47 PM Colm MacCárthaigh <colm@allcosts.net> wrote: > On Wed, Jun 14, 2017 at 3:23 PM, David Benjamin <davidben@chromium.org> > wrote: > >> That is, it is not the identity of the bytes that matters much. It's >> whether the connection has been confirmed when you perform an unsafe >> action. I believe this still satisfies the properties we want, but without >> breaking standard interfaces. Very near the TLS stack, at the point where >> the record boundary abstraction starts leaking (it's common to only give >> you back a single record on read), either API is equally easy to provide. >> The looser phrasing is needed for composition once you start going up a >> layer or to. >> > > Suppose a request, or a frame, spans two different client certificate > authentication contexts (or unauthenticated, and authenticated); how is > that handled today? or is it just forbidden? > In TLS 1.2, that would require renegotiation, which is not allowed in HTTP/2. Our client and server implementations enforce this, for this and other reasons. http://httpwg.org/specs/rfc7540.html#rfc.section.9.2.1 Sadly, in Chrome as an HTTP/1.1 client, we are stuck with supporting this mess, so we allow it at HTTP/1.1, but we will only accept client certificate requests between request and response and further forbid all handshake/application interleave. HTTP/1.1 without pipelining is just barely simple enough that one can get away with all this. (In all other cases, BoringSSL does not support renegotiation at all.) The mess around trying to make byte boundaries semantically meaningful is why I'd previously advocated leaving TLS 1.3 post-handshake auth to the application profile, and why I advocated that it never be allowed in HTTP/2. HTTP/2 should use something at its layer, possibly leaning on exported authenticators. We have no plans to implement TLS 1.3 post-handshake auth in BoringSSL, but if we were ever to implement it, it would likely be under the same constraints as renegotiation (off by default, client-only, HTTP/1.1-only, and only at that one point in the protocol with no interleave). I assume what you're getting at here is that my 0-RTT and post-handshake auth preferences are the opposite? :-) That's true. In the post-handshake auth case, making the boundary insignificant to the higher-level protocol isn't really feasible. Conversely, forbidding 0-RTT with HTTP/2 would be rather unfortunate. But it seems the tight synchronization is not needed here, so we don't need to go that route.
- [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Salz, Rich
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Steven Valdez
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Loganaden Velvindron
- Re: [TLS] Separate APIs for 0-RTT Benjamin Beurdouche
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Petr Špaček
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Brian Sniffen
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Martin Thomson
- Re: [TLS] Separate APIs for 0-RTT Timothy Jackson
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Yoav Nir