Re: [TLS] Call for consensus: Removing 0-RTT client auth
Eric Rescorla <ekr@rtfm.com> Thu, 31 March 2016 17:22 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E62612D6CB for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 10:22:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NLvk3zeK6SUy for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 10:22:06 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E1B712D6B0 for <tls@ietf.org>; Thu, 31 Mar 2016 10:22:06 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id h65so106181118ywe.0 for <tls@ietf.org>; Thu, 31 Mar 2016 10:22:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1ch5qBfZo8qczc/LfyQloe4C/LnqljDJW06sEAwAZFc=; b=VRPkEv4m+ZrFjreVqwQNO9SMxncQOGY1INGkmc2DcYCRiPbNtlG530/cIqzGOpd6lm b/uSgaNWrgJHBe6hO20tq3idAZCUev2w9bO10Ih7BL9YAb0nNN2WA2tJ0TUL+VJn3FIU 86RY6PFKYOynYlyvJongs0TdQmcyrsCVAWs2O1aoR3+Rucn9MOY+yGQSaVg+GLGsoEsZ VV2MfYBgOWR/P8fWOx875sBgRjnNjAk+QSn7Eq82waHWVuGOj+Z/8oNeABw940m7KApQ +s78T+ZbxmgJHiYUi5ICFdI+xq568DWUIvjqa9c//osazB6ZfW4Ods0z/2XmB3BnPmA5 sMlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1ch5qBfZo8qczc/LfyQloe4C/LnqljDJW06sEAwAZFc=; b=XpDQde2ZqmP8M2rf2qkIUSuGOfoxlKR+QYz7oG/ErJNtkRmfxHfKMtNe+EHR/n0bRr uxmLB8nDOQaoNgYH7XzMqjZwheR0VSMN/Wg2FzhgvPGaxSJeK0b7UryF1Pzz8f026qJ3 0SMDQX7gcoG6PUbYKgezQe/pPuTTaWyeWEVjIh4FJZuw994TOPZEraWjroveV8WE+AA9 c7N2Fs9/KkFU10mQebI4UPs180P43G7exPiKAXz1YGjqHlZW0Po0IlkIf56td5vbyw4S 8QoFNCWMDwStzyRpJZ27GXHl8TF/kNTBLiVIJmRcTA+bZ0lWZ5mxXETvaO9SsArTEeyq qjJQ==
X-Gm-Message-State: AD7BkJIRl1Bbs5yOytvb/DtgDpkxDSINydZRYBJLmtkeMGxTXGya008eAnFX9WeVSn4/tIvGdsT5ySYfjdL9tg==
X-Received: by 10.37.231.216 with SMTP id e207mr8631181ybh.130.1459444925249; Thu, 31 Mar 2016 10:22:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Thu, 31 Mar 2016 10:21:25 -0700 (PDT)
In-Reply-To: <56FD5BC3.5060103@akamai.com>
References: <AABACDA8-6A12-4023-A971-1254CED4893F@sn3rd.com> <56FD154D.1030300@gmx.net> <CAH9QtQGBrvbPp4V8SMwK1WuUQpJKMo-1z8bs6rCO_d-w0JJE8A@mail.gmail.com> <56FD5978.3040401@akamai.com> <CABcZeBM62eZfZX_yyBbur82ru4y8COzp4s2rurSw6E-XJYeiMg@mail.gmail.com> <56FD5BC3.5060103@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 31 Mar 2016 10:21:25 -0700
Message-ID: <CABcZeBPdVK32FmfCuHMhDWGVnMX4n4R4xgWyx1o6+8RXq5EBnA@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Content-Type: multipart/alternative; boundary="94eb2c0b11d0574414052f5b80fd"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ewvUStqSruSjbq2ztKjzUDMU1-8>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing 0-RTT client auth
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 17:22:09 -0000
On Thu, Mar 31, 2016 at 10:17 AM, Benjamin Kaduk <bkaduk@akamai.com> wrote: > On 03/31/2016 12:13 PM, Eric Rescorla wrote: > > > > On Thu, Mar 31, 2016 at 10:08 AM, Benjamin Kaduk < <bkaduk@akamai.com> > bkaduk@akamai.com> wrote: > >> On 03/31/2016 12:02 PM, Bill Cox wrote: >> >> On Thu, Mar 31, 2016 at 5:17 AM, Hannes Tschofenig < >> <hannes.tschofenig@gmx.net>hannes.tschofenig@gmx.net> wrote: >> >>> Hi Sean, >>> >>> we at ARM would find it somewhat unfortunate to remove the client >>> authentication feature from the 0-RTT exchange since this is one of the >>> features that could speed up the exchange quite significantly and would >>> make a big difference compared to TLS 1.2. >>> >> >> Client certs can still be used with PSK 0-RTT, but only on the initial >> 1-RTT handshake. it is up to the client to ensure that the security of the >> resumption master secret (RMS) is solid enough to warrant doing 0-RTT >> session resumption without re-verification of the client cert. >> >> >> That seems to rule out most corporate uses of client certs [for 0-RTT >> client authentication], since I doubt anyone will be interested in trusting >> that the client does so properly. >> > > Do those servers generally carry over client auth through resumption? > > > I don't know, offhand. I just wanted to point out that for one sizeable > use case for client certs in general (not considering 0RTT), this proposed > scheme does not seem useful. It may still be useful in other use cases, of > course. > I'm really not following you here. My point is that for TLS 1.2 there are two categories of servers that do client auth: - Those which carry over client auth through resumption - Those which do not The former should be equally happy (modulo all the concerns about replay, etc.) to carry over client auth through 0-RTT resumption. The latter will presumably not be but can do 1-RTT. The question then becomes how large the two populations are. -Ekr > > -Ben >
- [TLS] Call for consensus: Removing 0-RTT client a… Sean Turner
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Benjamin Kaduk
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Eric Rescorla
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Benjamin Kaduk
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Eric Rescorla
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Benjamin Kaduk
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Dan Harkins
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Subodh Iyengar
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Joseph Salowey