IETF Logo Mail Archive

Re: [TLS] Asking for certificate authentication when doing 0-RTT

Martin Thomson <martin.thomson@gmail.com> Wed, 25 May 2016 04:18 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D3DC12D606 for <tls@ietfa.amsl.com>; Tue, 24 May 2016 21:18:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ukB2mvFs6CiA for <tls@ietfa.amsl.com>; Tue, 24 May 2016 21:18:29 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C558A12D602 for <tls@ietf.org>; Tue, 24 May 2016 21:18:28 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id n63so26639200qkf.0 for <tls@ietf.org>; Tue, 24 May 2016 21:18:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=3YG9F7cv0VPisvltetg/96DZtVuCNP58d4IPz2NDYFo=; b=BuwYMC45We0xR/S7yqWyYvE+5+0o6e6Nx1RmTyWpgmDMinkdvuLybCve/nCvwKV9zk 8ik8NHrwXXKJNv/cH+IJoX//STb6Cals33UR5SdvZZzlSWrJ2XEqhzR4YT0QswVJQqLm 0jpHsAuW4ZbEtbTYrLbkis6O+Cp0QpP0ZA7kJkAcydzPvNpHz41vBrr8a6VekHn2vF6Z 6sXJDkUQD/7jJM5KImGvKjUCX4vhUre6dD/cyFIOTpQuYnqPK4QagTdFfyusI0H6y6vS EP62IW66canbzSlrCyYJOgElrKi3n4yG0mLHvYtS1pJ+MuSzBHOQmXnzjIYSXMmke9y6 S6+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=3YG9F7cv0VPisvltetg/96DZtVuCNP58d4IPz2NDYFo=; b=KomMXRq4i+xuKU7NUt519MJXejzIh7roMBVB6wkEo79JIADHVCljUEuEoC0hintaXz 5wRX+l6D867W1YoGlslu4rjaxylxjKgNGYhRrIDyFSW8kMowCs3rVrqs9HQudsy+iGgR C9zu9m2d0kjOHFtwXo3QBUFlIMkMmY7hSXNqmMBz721vHTRZ8/3r/7Sbw5puK4XxR8AA T7O6bNwv/uw6zBM/051UYEvH9y3iYT2I2o6S8Bi8f+C3rFVGC26x9aSAQCMT8kKR3RSn clu45olKJu52GERhw5X5FFOhHd/Upds0V7QNe+xjfVnE1jDe9o5wMmKy66F4sFA89Fw5 BdWg==
X-Gm-Message-State: ALyK8tIgKPUkz1GANe5GPTlk2UYTzuAzQqb/G9AD5i/0sZcFU5kj1lHZPVSwXx4XuattaTLCjnJgq4DRk+70yg==
MIME-Version: 1.0
X-Received: by 10.55.138.194 with SMTP id m185mr1699464qkd.48.1464149907899; Tue, 24 May 2016 21:18:27 -0700 (PDT)
Received: by 10.140.104.70 with HTTP; Tue, 24 May 2016 21:18:27 -0700 (PDT)
In-Reply-To: <BLUPR15MB02755CE39A33011905E6F056AF400@BLUPR15MB0275.namprd15.prod.outlook.com>
References: <CABkgnnXoNT7BBbbHGBMnb3iNwjj4ZVSNavrKgQFG-hiPGw96Bw@mail.gmail.com> <20160520194115.GA5467@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnXuhDfFHniHmRO+hk0pgV0UzNvMcgkq9nyPT+bUZkJ9tA@mail.gmail.com> <BLUPR15MB02755CE39A33011905E6F056AF400@BLUPR15MB0275.namprd15.prod.outlook.com>
Date: Tue, 24 May 2016 21:18:27 -0700
Message-ID: <CABkgnnUBs10+SuE=v0q8HzxNWj=YfX0hp+ZwEZcX=d+2dKaV6w@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Kyle Nekritz <knekritz@fb.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ePWHHsz6XJdL9C0RbfZMJHNbAgc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Asking for certificate authentication when doing 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 May 2016 04:18:30 -0000

On 24 May 2016 at 19:06, Kyle Nekritz <knekritz@fb.com> wrote:
> What is the rationale for restricting a change in certificate? If the server has a new certificate that the client would accept with a full handshake, what threat is added by also accepting that certificate with a PSK handshake?

This was a request from David Benjamin.  But then all the things you
mention are why I think that it might have been a bad idea.  I think
that the idea was to avoid unnecessary changes.  Changes that might
regress the security decisions made originally.  It was the most
conservative choice without thinking about the problem too much.

However, if we model this as new connection + 0-RTT stuff, then I
think that we are good.  Probably.  If anyone disagrees it would be
good to hear that.

v2.23.0 | Report a Bug | By Email