Re: [TLS] Call for adoption of draft-vvv-tls-cross-sni-resumption

Eric Rescorla <ekr@rtfm.com> Thu, 03 December 2020 21:00 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 297863A0C88 for <tls@ietfa.amsl.com>; Thu, 3 Dec 2020 13:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p14W4mrb_jk2 for <tls@ietfa.amsl.com>; Thu, 3 Dec 2020 13:00:19 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BA323A0C87 for <tls@ietf.org>; Thu, 3 Dec 2020 13:00:19 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id f18so4086304ljg.9 for <tls@ietf.org>; Thu, 03 Dec 2020 13:00:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cp78n29hG24I5cpg5jyWOSRVrl/z36LuizxccvV6Kbc=; b=AQuKlIZsnxp2mWjc/Jp48bfKgRzYb4s6iH/suaC8z3++HmKfneFzXKiZXanRZcU6IF OnnuBQbgtBKuqYJb2r3PYlI8ihv9MmnM+ULBI1CpQqAtTrxbq4AGObnKoIQo8sny3d2X u13lQrQ75ucE+FyRoWoXeLK/1iCRAQxFSTRpBdyUUqtnxENGOWs5oTVmZXiKmxF+OBz1 HyaEDC1pvHWwOLIbsqLZxCSCw3V1y9vYE2x4268jcKZu0xAkkEQUeo6h+aNToo7f5aiT 1it1omAJxx4e321nGug+FKuQJX2EB6nYp5hWDGZOP+2JTYZfSaIVZecVXStZYrt+1D9z Espw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cp78n29hG24I5cpg5jyWOSRVrl/z36LuizxccvV6Kbc=; b=N+fg83SkC/6y4C94nNSgGEcS1GtKx62BXd3uuTKEcuJ0boSyXGLS/Ebr5UEjDxPXcl dGOCkEEG9O0qzsAR8UElyRQKvLOQNDaGTpNJJ+1IJaDA1Ll7V3F+Gt7ZlXnPIDoJZgeE pEChQ7SAP5eaQvvTgixlcJorNOQ3v9UsCD4iU4cWHbcLVl73DOlM9TcWdF4khsXV9OFc hRpL4hiqZfSes6fpofT24/gHpU6V35olayq9h7saQpj77dvdkw5Z6ULdZUJiUu8reCdI QbLuNO5vIi2kj78uCeBpVf1NzZpjztjKMfBIaBKG14KnmvJo/svv0rghyFpUNB49Ay7w cBCg==
X-Gm-Message-State: AOAM531rbjqqXRXtMpM/oEjsMQ2QYXOdvGpdX9XuF1mjtBv2AoulDH+U RS27FblGNydm/g2tiGo3RLzQDM7AMXHwRx2YXGe2yQ==
X-Google-Smtp-Source: ABdhPJw8kIER70KqlM3IyMiqDREqM6BxNiCpd5mKrdFA2CnVGSzcEvMDzf8GPgpt/UbKowEKK3/4xKrv7ELjxJgEEOg=
X-Received: by 2002:a2e:8983:: with SMTP id c3mr1929789lji.184.1607029217264; Thu, 03 Dec 2020 13:00:17 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoATi+jFy53x5W4T6ai=xjH4VufhWaoABT5g_w=_72N8HA@mail.gmail.com> <CAOgPGoDJP8RNxjyrYWvPzvWOrkmDs9ssqFxvF1+mqtWg9BMF=w@mail.gmail.com> <24904640-192F-4557-98B6-094455D88CF5@akamai.com> <CABcZeBOvCXKfu=ENLfPyutgbDem7KuXBQPrju-B9_YuogFEXBg@mail.gmail.com> <CAF8qwaCn+8b2K=R5AvjrELeRvFCb82QBOCvPfOMtDgsao0nJOw@mail.gmail.com> <22DD5290-9978-4006-A192-EA4927F4FBAE@akamai.com>
In-Reply-To: <22DD5290-9978-4006-A192-EA4927F4FBAE@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 3 Dec 2020 12:59:40 -0800
Message-ID: <CABcZeBModS45EOGhAYdpOjPDAarLBZJXWjY0pK3eVcybB6mqaA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a39c6805b595a520"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/e4G3OiJRt08pzjWjzxM46qRteeA>
Subject: Re: [TLS] Call for adoption of draft-vvv-tls-cross-sni-resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 21:00:22 -0000

Hmmm... I think it probably goes in this draft, but I'm open to being wrong.

On Thu, Dec 3, 2020 at 12:46 PM Salz, Rich <rsalz@akamai.com> wrote:

>
>    -  I'm not sure if it's ever been written down anywhere (probably
>    should be...), but I think resumption is pretty much universally
>    interpreted as authenticating as the identities presented over the original
>    connection, client and server. That means that, independent of this draft,
>    the client should only offer a session if it is okay with both accepting
>    the original server identity, and presenting the original client identity.
>    (Analogously, HTTP connection reuse reuses TLS handshake-level decisions,
>    so you have to be okay with that decision to reuse the connection.)
>
>
>
> Totally agree.  @ekr, you want to make this change in your BIS draft?
>
>
>