IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Richard Fussenegger <richard@fussenegger.info> Thu, 23 October 2014 19:54 UTC

Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 886391ACFFE for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 12:54:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7d8d1zI0o9A for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 12:54:03 -0700 (PDT)
Received: from mx205.easyname.com (mx205.easyname.com [212.232.28.126]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E0A41ACEBA for <tls@ietf.org>; Thu, 23 Oct 2014 12:54:03 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1XhOSN-0008NX-JM for tls@ietf.org; Thu, 23 Oct 2014 21:54:01 +0200
Message-ID: <54495CBF.6040809@fussenegger.info>
Date: Thu, 23 Oct 2014 21:53:35 +0200
From: Richard Fussenegger <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <54483C33.4000702@polarssl.org> <11886639.VyNDkQ3oKj@pintsize.usersys.redhat.com> <54493904.7010807@fussenegger.info> <20141023174537.GW19158@mournblade.imrryr.org> <5449463D.7080904@fussenegger.info> <20141023183637.GX19158@mournblade.imrryr.org> <03546F3D-816C-481A-A577-9797855A9DED@pahtak.org>
In-Reply-To: <03546F3D-816C-481A-A577-9797855A9DED@pahtak.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms000903060004070604050700"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hZF0Do70A5eKCUWQAIBpIDcykNs
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 19:54:09 -0000

On 10/23/2014 9:35 PM, Stephen Checkoway wrote:
> This seems perfectly reasonable (both for general N and for specific N = 2 or N = 3). But does it make any difference from a protocol perspective? The only way a client could tell if a server is doing something wrong is if the client knows the upper limit on the ticket's validity  NT and sends a ticket after that time which the server accepts.
>
> I'm probably missing something but it seems like there's no real way to detect if the server has followed any particular policy for a ticket so the details (such as key rotation and symmetric algorithm strength) should be left entirely up to the server. (Or resumption should be dropped from 1.3.)
>
> Giving guidance seems reasonable. Setting unenforceable limits does not.

Some parties think that only giving recommendations isn't enough 
(example quoted below), so why not give some rules then? Of course 
there's no way for a client to validate anything, but at least people 
can perform code reviews to check open or their own closed source 
projects to see if they are implemented correctly according to the RFC.

> The RFC doesn’t describe how key management should be performed and 
> merely emits recommendations. This has been found to be problematic in 
> OpenSSL’s case […]
> —Florent Daigniere: “TLS “Secrets””, p. 7, online: 
> https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf

I know, I'm using that reference too much, still …

Richard

v2.23.0 | Report a Bug | By Email