Re: [TLS] Comments on EndOfEarlyData
Richard Barnes <rlb@ipv.sx> Tue, 16 May 2017 21:29 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68AA012943F for <tls@ietfa.amsl.com>; Tue, 16 May 2017 14:29:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7a5mNPRmfrO for <tls@ietfa.amsl.com>; Tue, 16 May 2017 14:29:25 -0700 (PDT)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FB8126BF3 for <tls@ietf.org>; Tue, 16 May 2017 14:24:30 -0700 (PDT)
Received: by mail-wm0-x22b.google.com with SMTP id v15so105522939wmv.1 for <tls@ietf.org>; Tue, 16 May 2017 14:24:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WsYuFscKpbWkWjgIbfBiWc8n4G7e6bPaw96Sf5fqOsQ=; b=uyO/BGB0ucCnoFY/Td6r9TU1XEX21hI6rgM59aN26FQw6Ghu/k/vEs24mg8xhFGxcG QAb3nDN3YQAarfB/IGd1KDPpo2BBupdhklENHuPBzLmi3vA4Y7dexa2kXJu1eamhx1S4 dNTyFu6eK/juF42NqRECkFbcLTENzwp6Xr2IDkj64ndIxVH8cQhrKRF35NkmOVFv+8zn idQ6IxObhl27V17l0lqSZ1OMaGE9sSVkfX1S8RlyS9j0u9g8JXOgZKuf5PjaKQHG6gaF N2k3pzsi+0bxL4g4/YX1gVr0pvJLlZ+JH4Ng076kuMbKxOHfPJhnto21hWQWQw9eLf5M JGwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WsYuFscKpbWkWjgIbfBiWc8n4G7e6bPaw96Sf5fqOsQ=; b=RD9YAilrCZFzgWkGtyTYtMxDRnw2FcgPBCF/4OLO0+D3lqQT1+VLvQckUFyxDMgS8l bc9IFJGV4ner3qCq2UvMr/LuI5yy2cQR6TJP9jSBV5mYZ08Cp+tQDt6RIfHl9dBR2UcS of7UE62pGMjXWl4+6BGHaO6jzamNupP6R+Q9v/Cz6ztq62q+aTLN17HBRHoEn4dccBXr zMHyFVTsDfiNyDAXmMPoSPJs7hY3wD+8nqe668Cpg74CzX7w/ylB7Ihm5dRe4xu5gjAv n49QoejMknLrOlFfyhZMAxvCxW0B8Gl7bO+eTWEZLgIgZ+FvkTSBl2II42xL5J7O/X0g wzyQ==
X-Gm-Message-State: AODbwcDeHwZh8H7gs38bcDetUvYPk2bEPjEE+VjdwfJG2pCrEAKi/k25 ZFtbCR7nysX4F523OTaoKJ2SqdyyhbML
X-Received: by 10.28.156.197 with SMTP id f188mr391019wme.76.1494969868873; Tue, 16 May 2017 14:24:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.179.68 with HTTP; Tue, 16 May 2017 14:24:28 -0700 (PDT)
In-Reply-To: <CABcZeBMu=9KPvmz-sDknXpa4Vjer=md=ZqsFqGd6WNEFdAxSdg@mail.gmail.com>
References: <66025639-5ceb-021a-61c4-60620c402a6c@ntnu.no> <CABcZeBMu=9KPvmz-sDknXpa4Vjer=md=ZqsFqGd6WNEFdAxSdg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 16 May 2017 17:24:28 -0400
Message-ID: <CAL02cgQHdpwAAb_nYLTXU2wJ3q65x=HEprCbYe0oEUN9cAQaMQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Britta Hale <britta.hale@ntnu.no>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114b3168fc0d31054faacb6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c4pR5vm6PeTVul3eWfi4S6pnjhQ>
Subject: Re: [TLS] Comments on EndOfEarlyData
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 21:29:28 -0000
On Tue, May 16, 2017 at 2:59 PM, Eric Rescorla <ekr@rtfm.com> wrote: > First, let me say I'm largely indifferent to this handshake versus alert > point, so if the WG wants to flip it back, I'm generally OK with that. > With that said, we recently implemented -20 and having it be > a handshake message is somewhat cleaner. > I'm inclined to keep EOED as a handshake message. I also found it cleaner to handle in my implementation than the alert-based alternative, especially using the state machines added recently. --Richard > > > On Tue, May 16, 2017 at 8:30 AM, Britta Hale <britta.hale@ntnu.no> wrote: > >> On the Sunday 30/05 TLS:DIV workshop there was mention of the >> EndOfEarlyData message and its status as a handshake message or alert >> message. >> >> The main argument mentioned for making EndOfEarlyData a handshake >> message is that alert messages usually signal "abortive closure of the >> connection" (e.g. fatal alerts). Having an EndOfEarlyData alert could be >> misleading (i.e. possibly implying that a session is ending instead of >> beginning). >> >> However, this intuition is incorrect. Alerts signal the end-of-use of >> keys, not the prohibition of further communication under other keys. >> Keys should be deleted and no further data should be sent on the >> connection. > > > This last sentence seems to reinforce the motivating intuition here, > namely that the alert signals the end of the *connection*, and so it's > odd to have EOED indicate a key change within a connection. > > > >> For TLS 1.2 (7.2.1) it is even made explicitly clear that >> session resumption is possible after a close_notify send/receipt. >> > > Indeed, but that's a session, not a connection > > > It seems natural then to make EndOfEarlyData an alert message, >> signifying end of 0-RTT data. Specifically, the 0-RTT handshake is >> followed by 0-RTT data and finally an EndOfEarlyData alert to end use of >> that key, while in parallel the remainder of the handshake and >> subsequent session key act almost as a further resumption (i.e. under a >> different key). >> > > I can see how you could look at it this way, but I'm not sure that that's > the natural way to look at it. If you're not doing DH, then these are > very much derived from the same PSK and the same client-side > nonce. > > > Making EndOfEarlyData an alert message also allows for clear key >> boundaries: if EndOfEarlyData is a handshake message, then we are mixing >> messages protected by the the client_early_traffic_secret and >> handshake_traffic_secret in the Finished message. > > > Well, we also mix unencrypted traffic into the Finished, right? Does this > present a practical problem for analysis? > > -Ekr > > Britta >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Comments on EndOfEarlyData Britta Hale
- Re: [TLS] Comments on EndOfEarlyData Martin Thomson
- Re: [TLS] Comments on EndOfEarlyData Eric Rescorla
- Re: [TLS] Comments on EndOfEarlyData Britta Hale
- Re: [TLS] Comments on EndOfEarlyData Richard Barnes
- Re: [TLS] Comments on EndOfEarlyData Eric Rescorla
- Re: [TLS] Comments on EndOfEarlyData Britta Hale
- Re: [TLS] Comments on EndOfEarlyData Eric Rescorla
- Re: [TLS] Comments on EndOfEarlyData Britta Hale
- Re: [TLS] Comments on EndOfEarlyData Benjamin Kaduk
- Re: [TLS] Comments on EndOfEarlyData Markulf Kohlweiss
- Re: [TLS] Comments on EndOfEarlyData Benjamin Kaduk
- Re: [TLS] Comments on EndOfEarlyData Markulf Kohlweiss
- Re: [TLS] Comments on EndOfEarlyData David Benjamin
- Re: [TLS] Comments on EndOfEarlyData Benjamin Kaduk
- Re: [TLS] Comments on EndOfEarlyData Salz, Rich
- Re: [TLS] Comments on EndOfEarlyData Andrei Popov