Re: [TLS] Limiting replay time frame of 0-RTT data

Colm MacCárthaigh <> Mon, 14 March 2016 21:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B10A12D661 for <>; Mon, 14 Mar 2016 14:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sjWQvkQGgPzw for <>; Mon, 14 Mar 2016 14:04:10 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7C8CD12D5AA for <>; Mon, 14 Mar 2016 14:04:10 -0700 (PDT)
Received: by with SMTP id h129so184151396ywb.1 for <>; Mon, 14 Mar 2016 14:04:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=h3YLzoGSw4K7WF8wx8aSjGjtd67rF3E7qJwD770C8k0=; b=11+mJF7FP+hYbyKZpVAr7IsFexnX4WDEjOTy0L8gO8stH5oRZZyZDMTixoRIahlERR zlo8tztdixKcVYwz/ryryaxYYYMMMkVVjjCnvjmliWQcKO5bCqJ0X3e15Eetxq5fg/gA Lt5hDmQ0SEa8mxjThy/Ldf9EeyUukGK3KLfRERcMX5gb/iBHf8bTbDsZI9MYklffiWts 3uD3GQNSGScqd1a52TpxBpKopppgkgbaldF1ZaA5S3ddpC5C8hXN/vXRnYWKvHcoIyyD 3vYjCX26Fo+Sl5Za6fo5H3DtZNWAFndFhytiyi+FHdbGkIDR+53mbzJ5tjQZO+UHHg0B m21g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=h3YLzoGSw4K7WF8wx8aSjGjtd67rF3E7qJwD770C8k0=; b=eDJOM0REEdYTNY9ssSqCsOzCZ0nb7aBMFXMS5TO8LN1Xd6bNCk/fWqRKs0HUDpArfu ThfscAvzgpOMeqxUmHvYs2nL0dNNn2cruO/5byHf87hHBovrb5I77HIhHrnFDoUb6glJ jslk+yhbGrwma22Wip7RuVQTq0WXTaXE4UDONegeFYHl5eAVF3GdtDaIb8Ka+I9tVPaH tiCqKN6kpac+AHAi+ZvvzqBhWzu11WXsNnvm2sAuMoOFvttTKBEgc3xTMWUCmS9GnviG 55sktbtYxVN6NDqZZ9yEVcX7erYYGBHNMA9oMVswWt8XimZv/eE7Xism2p2RAlhIUe4S 7dKg==
X-Gm-Message-State: AD7BkJIq+FPw3jTRfEv0RiDydSdk8L2y5i/0/yLJRR3Q2I6/XWQFx7PMJ1apocjqWP4ZZSUZqqGckGAtMDcUhw==
MIME-Version: 1.0
X-Received: by with SMTP id m206mr14188472ybb.168.1457989449610; Mon, 14 Mar 2016 14:04:09 -0700 (PDT)
Received: by with HTTP; Mon, 14 Mar 2016 14:04:09 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Mon, 14 Mar 2016 17:04:09 -0400
Message-ID: <>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <>
To: Ryan Hamilton <>
Content-Type: multipart/alternative; boundary=001a113fcb7a3b31ba052e089f7c
Archived-At: <>
Cc: Karthikeyan Bhargavan <>, "" <>
Subject: Re: [TLS] Limiting replay time frame of 0-RTT data
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Mar 2016 21:04:13 -0000

On Mon, Mar 14, 2016 at 3:15 PM, Ryan Hamilton <> wrote:
> On Sun, Mar 13, 2016 at 4:36 PM, Jeffrey Walton <>
> wrote:
>> 0-RTT seems to be a solution looking for a problem.
> ​Google has been using 0-RTT as part of the QUIC transport for quite a
> while now. In April of last year, we posted about the performance
> benefits we're seeing from QUIC
> <>.
> Among other things, that post said:
> Even on a well-optimized site like Google Search, where connections are
> often pre-established, we still see a 3% improvement in mean page load time
> with QUIC.
> From the browser side of things, 0-RTT is a solution to a very real
> problem. We are excited about TLS 1.3 supporting 0-RTT (or 0-RTT
> resumption) and converting QUIC to use the TLS 1.3 handshake as a result.

Are you sacrificing forward secrecy in this case? For a concrete example:
suppose $oppressive_government is collecting all traffic as a routine
matter of course, and then later a remote-ex, memory-disclosure, or
decrypt-oracle  (like the recent DROWN) came along on the server side:
could it be used to decrypt all of $worthy_dissident's requests? how long
for, how do you manage that trade-off?

On the "3% speed up" - we're not going to see that for TLS 1.3 though -
right? there's still the TCP handshake to perform; or is some kind of
custom TCP in the works? (does TCPCT work on the client side?). Do you have
any human perception data; to people even notice the 3% at this point?
(loading google seems remarkably fast!).  There's a very strong temptation
to bias for what's easy to measure here.