IETF Logo Mail Archive

Re: [TLS] Remove DH-based 0-RTT

Watson Ladd <watsonbladd@gmail.com> Wed, 24 February 2016 16:34 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63A0F1B38A6 for <tls@ietfa.amsl.com>; Wed, 24 Feb 2016 08:34:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_24=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czIIJ09S7cCg for <tls@ietfa.amsl.com>; Wed, 24 Feb 2016 08:34:25 -0800 (PST)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EE8A1B38A3 for <tls@ietf.org>; Wed, 24 Feb 2016 08:34:25 -0800 (PST)
Received: by mail-yk0-x22f.google.com with SMTP id r207so10148676ykd.2 for <tls@ietf.org>; Wed, 24 Feb 2016 08:34:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fu8q+AffX5U2473+jYZOxPk3Wrn6qoYnDZaXcgvb43Y=; b=BRy8MKCc55wvTPwhI4a0RG3a9/qY02V/2UCBED2X8qqzCROqdWc5N6GuegyQjtq6M6 QgBBmtYlEpIJaOfnjXzCEPgg8mVcfIcGRzwbLOGdBIKlCMJ7lbOnhyt4A63gzpr8LfHL 9WbTuOIokkqvcZmnTeL75k0rj9RkSbpA+upWDkO33AXyrDHHtnrSJdjiUHIlE1fA+x5R rLQPXuG2auwuz61D6/jYkTZDWQqogAHFE/GsvJ8wtN9TWJNsFJpPWIytrJ4PvM2wC/v+ QltPzXlUa+CpNMsPkCblL0d8J1a8KFbNNQXf1R7+r+xpHcMRLIBhVETtaBEAfQFdkCA6 DLrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=fu8q+AffX5U2473+jYZOxPk3Wrn6qoYnDZaXcgvb43Y=; b=EYIzOTKVTGq+6vXvZvxKPy2uqySOfUrx+A9w3OVu28/GuwEBsWOjzFbut2O4SnEUvS LjiCB7bPi6QPIYB3s2yOHa4zDZyZNK/0OD2lyOrLyGibwQ2jbG6YnA2fTZ3MFUKlm/DZ 6IUt8BvGR4POD08ggZZTBOkLAd31N1YyBbP80T6xn6YWrTwmZ8QUK0GUJ8C+p/jWZDz5 EbD5XvCKf0aJVMMma3MVUKQgU66JEq7xmDwM5F+/7xjhZEOvxRryTn1PyOQlfnHD2Rz6 pBaNwE358kv6xw1hFTQ2TDgD4EYvcWiJ6S8ffvas5TlRg/ASFOeHub9bh3sQAfUXt8XE sBbg==
X-Gm-Message-State: AG10YOTSzAZEuhGfvSENF64VIWv++F7QHuf9St9R1Gn8G6i9sLZym3AwjmnPUJn3GW3Z1uuLas3/oP33tneQxQ==
MIME-Version: 1.0
X-Received: by 10.37.25.212 with SMTP id 203mr20368328ybz.163.1456331664655; Wed, 24 Feb 2016 08:34:24 -0800 (PST)
Received: by 10.13.216.138 with HTTP; Wed, 24 Feb 2016 08:34:24 -0800 (PST)
In-Reply-To: <CABkgnnX-+_fxAg=uJzDri-58+Ax0w2paQee8AEai-tCGCDv63A@mail.gmail.com>
References: <CABkgnnUUXQh=aStz4DuPtw5mWaF7aDFozuUwQp_QbJ2EGL0eHg@mail.gmail.com> <201602232057.18505.davemgarrett@gmail.com> <CADi0yUP-TAFPWgzG4voFTfUcbrPXcffC5rTTsbsOs+=TQ7jYmw@mail.gmail.com> <CACsn0cnoCNLPY3ic9Z72ZgUuvCwTyxzzGXU5W8LeZ4zBEwpHVw@mail.gmail.com> <CABcZeBNCgfdsBioP8_9E2Jrh0WDLHjW0QS+x=99LqdYnYwsbuw@mail.gmail.com> <974CF78E8475CD4CA398B1FCA21C8E99564E7F92@PRN-MBX01-4.TheFacebook.com> <CABkgnnX-+_fxAg=uJzDri-58+Ax0w2paQee8AEai-tCGCDv63A@mail.gmail.com>
Date: Wed, 24 Feb 2016 08:34:24 -0800
Message-ID: <CACsn0cmV5L40SdDdD6vU8n7TvAOjyXNf1SMJm9Eryhv7rnbwOg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/eo_AOLl-I5MbA-2_gGojxmwr4OI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Remove DH-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 16:34:26 -0000

On Wed, Feb 24, 2016 at 7:54 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 24 February 2016 at 07:44, Subodh Iyengar <subodh@fb.com> wrote:
>> Unless we add a way for the client to require a server authentication during
>> PSK resumption.
>
> I have been arguing for this now for a while.  If there is an
> incentive to do "PSK resumption" (there is), and that does not provide
> the client a way to verify server certificates, then clients are
> forced to make a choice between performance and checking that the
> server holds the private key for the certificate.  I'd like to see a
> mode where 0-RTT is grafted on to a full handshake with DHE and
> signing.  Unfortunately, that gives us an almost full matrix of
> options:

Part of the motivation for session tickets in the first place was the
cost of signing and DH. So long as servers can negotiate a resumption
mode without these, and clients offer it, there is no liveness check.
And if we require a DH+sign every resumption, we don't gain anything
over the full exchange except 0-RTT. Why is this server liveness issue
not considered a problem for TLS 1.2 resumption?

>
> PSK only
> PSK + DHE
> PSK + DHE + signing
> DHE + signing
>
> But at least we can remove "DH0RTT + DHE + signing" and maybe other
> combinations (though which ones we have currently isn't 100% clear to
> me).

-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email