Re: [TLS] PR#449
David Benjamin <davidben@chromium.org> Wed, 11 May 2016 19:22 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1500312D58B for <tls@ietfa.amsl.com>; Wed, 11 May 2016 12:22:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.189
X-Spam-Level:
X-Spam-Status: No, score=-2.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RzMwcNfFjjci for <tls@ietfa.amsl.com>; Wed, 11 May 2016 12:21:57 -0700 (PDT)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A316012D767 for <tls@ietf.org>; Wed, 11 May 2016 12:21:57 -0700 (PDT)
Received: by mail-ig0-x235.google.com with SMTP id u5so24061012igk.1 for <tls@ietf.org>; Wed, 11 May 2016 12:21:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=H6+j3F+q2lNfornlsNXFcvRdet7UadldujCrFO4EJdI=; b=a4YsItztBjil+dtZXcmXyncKMX3MUS5d4zYF3kMWgt8IQ1UG3xejezewPstcc/K/GJ XvbQkxN3HKBv/mkH0H8ZuhUFPseqiCo2qhluHYUSkOvpl95hVvevhA9mACv9dnVlmwwz xMi0KQAyfc01BIw0kjcOaHGZv3MCV665foc8c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=H6+j3F+q2lNfornlsNXFcvRdet7UadldujCrFO4EJdI=; b=cG8MTSnt/XW3Dy4/XE96KaUh0NVWw6wTBvKL51K/SFqXaeGi3HyDCE5BkLeDUAnNtv B6TkOCDLHamMTc7d9tmcyTYn0VFC2OReqjPBl4YPdcdpIsLGy3fvoE8H3LvzBQgdpdO4 kCyztVs/9TK9BDvdSD3jzpBQyQOYXzdvMJ4KuKU1yaRkO96Vj57rxbccy4zouKGr2xmI nqnbn00v5J1EOAOKKDa3I6EB4sPbWCVkczyeH01hRGC40DPicJxQEQDlicF/4O9IMNrX CSoYsETonl985/9/KtFuRABp2WOAcDRmhDLCJTo38FNp+drzTfLDqmJXUC5lgKq4JBXx 4mYw==
X-Gm-Message-State: AOPr4FXeL19gZn0FRXlTzMOypzPQxD2lvi/6I87HZz3QqLYQDCR0NZiRk3kQCV+dCfo0Ol/Qbn4xery7bT9JVumk
X-Received: by 10.50.18.132 with SMTP id w4mr4866187igd.83.1462994516881; Wed, 11 May 2016 12:21:56 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBM0-tofOi3TnVBOuhkhWjyqwtf-vVwJ7GB8vD4=jYqOcA@mail.gmail.com>
In-Reply-To: <CABcZeBM0-tofOi3TnVBOuhkhWjyqwtf-vVwJ7GB8vD4=jYqOcA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 11 May 2016 19:21:46 +0000
Message-ID: <CAF8qwaCe1_zryAobM3azo9Pcieh=N5d2+3V4kxk2CNuUbHRdOg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="14dae93b57d27d21c3053295f4a6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/f4lPO4rghcADzePlNhVYrPeWMHI>
Subject: Re: [TLS] PR#449
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2016 19:22:01 -0000
This change has a non-obvious consequence for server implementation complexity. I don't have an especially good alternate proposal though. Putting ticket_age in EncryptedExtensions means there are two ways a server may reject 0-RTT. It might reject ClientHello because the ticket is invalid (or if ALPN doesn't match the client and server's new preferences, etc.), or it might reject at EncryptedExtensions because the ticket_age is bad. But rejecting at the second point requires going back to the ClientHello and re-negotiating parameters, etc., as in a full handshake. This is a fairly involved part of the handshake and adding a state machine transition (TLS stacks often look like asynchronous state machines driven by handshake messages) in the middle of it invites a lot of bugs. Options I see: 1. Leave it as-is and implementations just deal with it. The simplest way out would be to buffer and defer processing the ClientHello until after EncryptedExtensions (or lack thereof) is known. Note this is a little subtle because you may not have a ticket to decrypt EncryptedExtensions. 2. A bad ticket_age is a fatal error, not a 0-RTT reject. This requires that the server timeout be fairly generous to avoid the slowest RTT anyone might care about. Roughly match the timeout for the client's second leg. But if the client's clock changes between getting the ticket and trying 0-RTT, we'd punish them with connection error rather than a full handshake. That seems poor. 3. Smuggle an encrypted ticket_age inside the ClientHello. This means avoids the complex framing, but now we need some ad-hoc encryption inside an extension. It needn't be very complicated, but it's a wart. (Silliest option is NewSessionTicket contains 4 random bytes or you derive something from the resumption secret and XOR it into the data since this is something we were otherwise okay with sending in the clear anyway. It's just about avoiding a vague correlator when tickets are only used once. Or we could do something less silly and more heavyweight like actually run the record layer.) I'm not thrilled about #2 or #3 and getting #1 right isn't impossible, but it would be nice to avoid these sorts of sharp edges if we can. David On Wed, May 11, 2016 at 7:38 AM Eric Rescorla <ekr@rtfm.com> wrote: > https://github.com/tlswg/tls13-spec/pull/449 > > In Buenos Aires, we agreed to add EncryptedExtensions from the client > in 0-RTT to carry the ticket age/elapsed_time. I have written this up in > the PR above. Comments welcome. > > Target Merge date: Friday. > > -Ekr > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] PR#449 David Benjamin
- [TLS] PR#449 Eric Rescorla
- Re: [TLS] PR#449 Ilari Liusvaara