Re: [TLS] 0-RTT & resumption

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 25 July 2015 19:07 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD2D91ACC92 for <tls@ietfa.amsl.com>; Sat, 25 Jul 2015 12:07:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sxreYRLo6-PC for <tls@ietfa.amsl.com>; Sat, 25 Jul 2015 12:07:34 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AF041ACD0A for <tls@ietf.org>; Sat, 25 Jul 2015 12:07:34 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D9778284B64; Sat, 25 Jul 2015 19:07:32 +0000 (UTC)
Date: Sat, 25 Jul 2015 19:07:32 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150725190732.GO4347@mournblade.imrryr.org>
References: <201507251453.18237.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201507251453.18237.davemgarrett@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_rMJLdEzqEHiBwYyGpuShBw5wK4>
Subject: Re: [TLS] 0-RTT & resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jul 2015 19:07:35 -0000

On Sat, Jul 25, 2015 at 02:53:17PM -0400, Dave Garrett wrote:

> 3) Just to state the obvious: If a client is going to do PSK resumption
> with a non-PFS suite, it needs to offer a non-PFS suite.

Forward-secrecy is not about doing or not doing DHE/ECDHE those
are just means to an end.  Forward-secrecy is about retaining
confidentiality of past traffic even when long-term secrets (for
TLS server private keys) are later disclosed.

With that in mind, resumption without DHE/ECDHE has the same
forward-secrecy as the original session.  The session master secret
is not a "long-term" secret.

> Even if it's not
> really going to be negotiated for anything else, I don't really like the
> feel of this. I think it'd also be cleaner if the offered suites didn't
> have to change for resumption.

Perhaps I am missing something, but I see no reason for the offered
ciphersuites to change.

-- 
	Viktor.