IETF Logo Mail Archive

Re: [TLS] #445: Enhanced New Session Ticket

Eric Rescorla <ekr@rtfm.com> Fri, 29 April 2016 18:37 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72E6F12D6EB for <tls@ietfa.amsl.com>; Fri, 29 Apr 2016 11:37:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhHoLI8HpkjP for <tls@ietfa.amsl.com>; Fri, 29 Apr 2016 11:37:31 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3826A12D6E6 for <tls@ietf.org>; Fri, 29 Apr 2016 11:30:42 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id t10so205708796ywa.0 for <tls@ietf.org>; Fri, 29 Apr 2016 11:30:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OqtUOw8otbHklIpTGnzipD/DxMAtWbsyfp1E2YdU+P4=; b=kCaZ2v71PojI/qxledvYriURTiAmg2Ek3ipj8XQ9dAry8PHCC7AbKvD1+X7oUy1J4K 63IbpINJOh2qHzXSYzqCE3hHGEWp3l7//nNON5nY+xi53fLVhr6vZro4F0n0X7SH2Bwt k/GNSZJBpLeSDcJ3y6LA+ayN2Q6svZy6vxRx3A2rxPJ7PSo51rPsHUWRxXs97rH6xkXp qfTaPD4Br/DBpk6gKelza8CzFQpTETKhAQ9y1o7krNfxF5wgl2VxElWuKKTWh9meyis5 WxcsAjCqR0YxKupiNRc7EqbYZi72eAwBUl8OVLRgWSlGyX8A8IcVKm9V6c1Z1HGNs6rh CrRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OqtUOw8otbHklIpTGnzipD/DxMAtWbsyfp1E2YdU+P4=; b=TRQCLkzA6LRUC/NytdtXeNZCA+UEXD4yYBxK3aH2nDjFnLRhibUUWQtfCdo7m9wLTU 0sxNDIV+DWivBsOLL194/wfOJcd0xq8moO5qZgDWIknn6S4fhWNxzH8v3EwVK3zZvSqo Rxw86lMDgh34gnIbJBkllrt1DWl2rlryTjmEMDHHTHSGLEqYSBWZMggmnpDtUvemOapT Y2ZSXFBfk9Ykkx8WMlsIoBpus9twsFxvWOXJSegQxMdubaa8TeWRGzGRuZDnEPLXZZUG SoC2yBBXM7lwHM5u+TEP+CqJE/eWLjPvE5TS/QKUmnsura1imz8K3XS8sjwbTJly3Bd/ gMOA==
X-Gm-Message-State: AOPr4FV4nTccGXDKiZYZYGX9lDQT71R3DQoSUVyJFFoiu16NDMAX4FwK31nEKWFdFPBiMjPIwhz0XmD53qTfLQ==
X-Received: by 10.13.237.1 with SMTP id w1mr12122324ywe.62.1461954641506; Fri, 29 Apr 2016 11:30:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Fri, 29 Apr 2016 11:30:02 -0700 (PDT)
In-Reply-To: <20160429174643.GA17765@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com> <20160428214046.GB16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBMFg4iC-EN9DocqTpmjp46EYrTBdfi-G5nNMKN_xiHxVA@mail.gmail.com> <20160429055831.GA16405@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnUFn_UrUFro-yLmn9wf7YkTpRf8anm7LK-bKgYBBkUVNg@mail.gmail.com> <20160429153831.GA16797@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO-C5+93b5qax0wCaUhrKgjVeziphHbQse7NuBCwhdSgA@mail.gmail.com> <20160429174643.GA17765@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 29 Apr 2016 11:30:02 -0700
Message-ID: <CABcZeBNUa-Ac8TvT=KbqiGtTnCYhtsxHhvmqXZuFYo4yz1c8Ew@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="94eb2c0864a815ebb20531a3d74e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/eaB1secDTb4BeT1jdwm51wILRC0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2016 18:37:32 -0000

On Fri, Apr 29, 2016 at 10:46 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Fri, Apr 29, 2016 at 09:16:07AM -0700, Eric Rescorla wrote:
> > On Fri, Apr 29, 2016 at 8:38 AM, Ilari Liusvaara <
> ilariliusvaara@welho.com>
> > wrote:
> >
> > > On Fri, Apr 29, 2016 at 04:52:08PM +1000, Martin Thomson wrote:
> > > > On 29 April 2016 at 15:58, Ilari Liusvaara <ilariliusvaara@welho.com
> >
> > > wrote:
> > >
> > > EDI looks like rather sizable structure currently (even after
> compressing
> > > the configuration_id by obvious means).
> > >
> >
> > Are you looking at a different document than I am: EDI currently is:
> >
> >        struct {
> >            select (Role) {
> >                case client:
> >                    opaque context<0..255>;
> >
> >                case server:
> >                   struct {};
> >            }
> >        } EarlyDataIndication;
> >
> > And the context is basically a placeholder.
>
> Ah, I didn't see a PR about it and then looked at Editor's Copy.
> Clearly a different document.
>

Yes, 445 builds on 444.


>
> > Proposed text would be welcome here.
>
> Well, the more I think about this, the messier things about interaction
> between SNI, "static" PSKs and "dynamic" PSKs seem to be...
>
> And unlike ALPN, where problems only appear in context of 0-RTT, now you
> also get the issues without 0-RTT:
>
> > > > I mean for the subsequent handshake. Since 0-RTT ALPN and connection
> > > > > ALPN needs to match, either:
> > > > >
> > > > > 1) Take the 0-RTT ALPN implicitly as connection ALPN.
> > > > > 2) Signal the same ALPN again, and have that client MUST check it
> > > matches
> > > > >    and abort otherwise.
> > > >
> > > > I believe that we have to do the latter.  Since we can't be sure that
> > > > the server knows the ALPN from before if it has to reject 0-RTT.  My
> > > > plan for this is:
> > > >
> > > > 1. store ALPN in the ticket/session
> > > > 2. if doing 0-RTT, before accepting 0-RTT data, perform the normal
> > > > ALPN negotiation
> > > > 3. check the negotiated ALPN with the stored value, and if they don't
> > > > match reject the 0-RTT data
> > >
> > > 4. If 0-RTT is accepted, client checks the ALPN server sent and
> > > compares it with value it impiled. If those don't match, the client
> > > MUST abort.
> > >
> > >
> > > 1) would be:
> > >
> > > 1. store ALPN in the ticket/session
> > > 2. if doing 0-RTT, before accepting 0-RTT data, check if the 0-RTT
> > >    ALPN is acceptable. If it isn't, reject 0-RTT.
> > > 3. If 0-RTT was rejected, select new ALPN, signal it in Encrypted
> > >    Extensions.
> > >
> > > That would make ALPN and EDI mutually exclusive in EncryptedExtensions.
> > >
> >
> > This doesn't seem awesome from the client's perspective. I'm trying to
> make
> > the ordinary PSK-resumption design less of a special case.
>
> Well, the client needs to keep track of the ALP anyway. If for nothing
> else, to check that the server isn't trying to do anything crazy.
>

I don't see why that's true in the absence of 0-RTt. There's no reason why
the
server shouldn't be able to select any ALPN offers the client provides
regardless
of the original offer..

-Ekr



>
> I think it is easier for the client just to imply the ALP in presence of
> accepted 0-RTT.
>
>
> -Ilari
>

v2.23.0 | Report a Bug | By Email