Re: [TLS] PR ¤468: Cookie for hrr
Eric Rescorla <ekr@rtfm.com> Sun, 22 May 2016 18:30 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4C3212D504 for <tls@ietfa.amsl.com>; Sun, 22 May 2016 11:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tsDK-y7vC02U for <tls@ietfa.amsl.com>; Sun, 22 May 2016 11:30:51 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF74A12D1EC for <tls@ietf.org>; Sun, 22 May 2016 11:30:50 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id c127so35876834ywb.1 for <tls@ietf.org>; Sun, 22 May 2016 11:30:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Hp7vqeVu3zFOzFjc8HVHvOtFAlyDrRnFlvbZtkoKFYc=; b=asKMC0mzFmjqHP/oGzAZ5SJf5wNF0FoWMp16KO6nDNo4TmYLhtMKrbAl3JCc/ZT3U2 wje5t2l0wpDFehSxBZw6IupbaSgWaAsj9HIUaupIvksmPx2LnuKdnnmlHRlc/d38Rp5Y OtYfjNH4f+mNWuehC4IoOidGJBTarxrn+W3INSj75A5ralg+Gmq07K/x3e5/EgAyBHVj CXunL6S36KHQYA1I0Dd9LaFhDzhpJR/n2qx5w+KO7Fb5EpVxhLbF6jBskEvVZMtTQpCL MuVDsI09htLecEcxt2S16mLPfq8i8Z5HwyL5OKVpSSLqSUrOkx4gQ5a5WqbeAX2Lz3MQ wgFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Hp7vqeVu3zFOzFjc8HVHvOtFAlyDrRnFlvbZtkoKFYc=; b=Q5/vJDXydwRxp90Z5t5g13okZuTW3D0iJAowemXvbHBYsoPrBpo/rRQxvAq+ZQPSYE 6JGWm9uTzqF1H5uJ+JQh5zVwHUkzezNUKMqdNKsBswicz+rH2fKJli8okuS5N4OddlnH zLtYOoArDNE3eYEb4mhNqGbd4BsJKugL6A6lC8Lp6e3CiecV7gbDtJdxQ+YlcdSKtENc d/9+p2f1a+RZpKm+rNUnuT+Ewb6afFANScmcq5cOD13Dprk6pB5o7MhvgiFEAGKd0Co1 i7IYgkEx3HqQnKKp3dGSGgYAG3VmvLsqN5AcAxOiOd83pT65kMEoqdJjHBBBhhB7AkRz Ugbw==
X-Gm-Message-State: AOPr4FXMHA8abT+/6iI+qW67RDLUie7HLLuPP5brDszD4tGMyCb+5GhN5lFa+v1hSUNxK3dEPA5o3Nf5fGDPHQ==
X-Received: by 10.13.237.1 with SMTP id w1mr7256956ywe.62.1463941850119; Sun, 22 May 2016 11:30:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Sun, 22 May 2016 11:30:10 -0700 (PDT)
In-Reply-To: <20160522155921.GA17811@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160522142212.GA17666@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBPEQMJvBkb9kNvE4XeV8PyXoi=MchxrjPmmmYbJ8aXamQ@mail.gmail.com> <20160522155921.GA17811@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 May 2016 11:30:10 -0700
Message-ID: <CABcZeBPBtuqm-Qz7+WaQfaCzqKSXdpfER-cRHxCV0reae6vpyg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="94eb2c0864a8f2f6920533728588"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_V85HRItBnvc6s-ccetyefdlQ7A>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR ¤468: Cookie for hrr
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 May 2016 18:30:52 -0000
On Sun, May 22, 2016 at 8:59 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Sun, May 22, 2016 at 07:49:12AM -0700, Eric Rescorla wrote: > > On Sun, May 22, 2016 at 7:22 AM, Ilari Liusvaara < > ilariliusvaara@welho.com> > > wrote: > > > > > Looking at PR #468: > > > - It isn't at all obvious how to use it for stateless rejection. > > > - It is even less obvious how to recover (not causing non-retryable > > > fault) from bad cookie (e.g. expired) remembered from previous > > > connection. > > > > > > There are some tricks for both, but with latter, the 255-byte > > > cookie space can become quite cramped... > > > > > > > I'll make the space biggeer. > > Not having to deal with cross-connection cookies makes things > easier, but... > > Actually, looking at it, I didn't find how EDI context is > determined. And EDI context needs to be fit into cookies because > it isn't retransmitted on 2nd CH. > I don't understand what you're saying here. Here is my claim: 1. The second ClientHello doesn't come with EDI. 2. The Cookie (if used for this) needs to contain the entire hash state, which means it includes the ClientHello w/ EDI transitively. 3. Therefore you can recover the hash state no matter how much the client changes the ClientHello (though we forbid a lot of changes) If I'm wrong here, would definitely like to know. Can you explain? > Also while looking at 0-RTT: > > It occured to me how to determine the ciphersuite used for 0-RTT. > Then it occured to me that the symmetric parts are determined by the > provisioned context and asymmetric parts don't matter. But I think > this is quite non-obvious. > "All of the parameters for the 0-RTT data (symmetric cipher suite, ALPN, etc.) MUST be those which were negotiated in the connection which established the PSK. " Would be happy to have clarifications. And clock errors being small outside of gross corrections? Clock > first-order errors can be pretty large with unsynchronized clocks > (I have personally seen FO errors on order of 1s per day on some > bit bad piece of kit), and those would absolutely show up as errors > in ticket age. And if you have synchronized clock, the zeroth-order > errors (wrong time) will be small too (can be <10ms). And have fun > with leap seconds. :-) Yes. Those people basically won't be able to use 0-RTT. > > > Is the ticket allowed to outlive certificate orginally used in > provisioning it (possibly indirectly, with ticket being provisoned > from connection using ticket)? > This has never been something TLS has taken a position on. Also, the extension negotiation matching stuff with 0-RTT talking > about padding? Padding just plain can't be negotiated. And "negotiated > in ServerHello"? None of the extensions that can presently be > negotiated there are any of any interest with 0-RTT. To me the text > looks really confused. > I'll take a look at it, but PRs welcome. Right now I have an open issue marker, -Ekr > > > -Ilari >
- [TLS] PR ¤468: Cookie for hrr Ilari Liusvaara
- Re: [TLS] PR ¤468: Cookie for hrr Eric Rescorla
- Re: [TLS] PR ¤468: Cookie for hrr Ilari Liusvaara
- Re: [TLS] PR ¤468: Cookie for hrr Eric Rescorla
- Re: [TLS] PR ¤468: Cookie for hrr Ilari Liusvaara
- Re: [TLS] PR ¤468: Cookie for hrr Eric Rescorla
- Re: [TLS] PR ¤468: Cookie for hrr Ilari Liusvaara
- Re: [TLS] PR ¤468: Cookie for hrr Eric Rescorla
- Re: [TLS] PR ¤468: Cookie for hrr Ilari Liusvaara