IETF Logo Mail Archive

Re: [TLS] Separate APIs for 0-RTT

David Benjamin <davidben@chromium.org> Wed, 14 June 2017 22:24 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F584127077 for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 15:24:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xNLFNUBhrZWJ for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 15:24:07 -0700 (PDT)
Received: from mail-pg0-x22e.google.com (mail-pg0-x22e.google.com [IPv6:2607:f8b0:400e:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE17F120724 for <tls@ietf.org>; Wed, 14 Jun 2017 15:24:06 -0700 (PDT)
Received: by mail-pg0-x22e.google.com with SMTP id a70so6027292pge.3 for <tls@ietf.org>; Wed, 14 Jun 2017 15:24:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=CL3t9OdUYFx0grBYdW7G1AaYpqMoSZX6zn6pqO+rwt8=; b=TVFgNa7tszTjw1ILUt3tt9C45EXS5GjDyw3LUfBIZrkHYKWZSGDQ5SYRK5rDLw5uUi 8PL35VyzVELwUu/2U90UAU3vROhgWWqyI6Do7AEDvJWnuX/sMFXqU3hC3rfr/aJsrUIY tOMbe5eyflKuOzbxNGTqza/cHPhJXw2Q8sO34=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=CL3t9OdUYFx0grBYdW7G1AaYpqMoSZX6zn6pqO+rwt8=; b=kOBlVW6PP8fpxbIvYugXzAiqL50GEL5B/o6zKdji1rUbpsJE65kxJnlT99TP6WQxln atfHqQuWgUZ8H2VGFSxGv3H9u4tIh4lE0rg2Rj8JZaahyUVzocUHEzd5fwNUedvs2iqg +C6G3Gl5zsi+Bd/BlXU8ty3x2bwgo4uzf80hlKzbQxhUOas/3c4EoEQGeIxI2tQm2Im+ kNBqVl14b4R+FdJdaoGhYEo5TvXg/TfcFqKrqI0BvaoDRTAVb5eOqOjon55SPGWIXk4N bQQhkq/PcORqhrIdh/wqNTASy949Xo8G7n08e6Y8dWqTCPFe1zEZpSOFL7zFMTNFQz/L XPdA==
X-Gm-Message-State: AKS2vOyba6CCW8tKfhaTPqGOLfszkDCUqnzdH0WtspzQZ/spQUCRU0GF FbSJINzKVtLdALUX9HojBUJa2KmpZAICe8k=
X-Received: by 10.84.128.33 with SMTP id 30mr2559100pla.38.1497479046344; Wed, 14 Jun 2017 15:24:06 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMpeBhcKoJYuMwLyER0VBh+RtVr6amWMPos3CJipXYHcA@mail.gmail.com> <DM2PR21MB00916718A71749E5D2CB19C38CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <CABcZeBO+Qprg4DTwNJrFU1PXDPyKbbdakMrF9fhe02jRL50cow@mail.gmail.com> <8e206c83-645f-6389-a7bd-ddd51e747ea2@akamai.com> <CAAF6GDfyqMndibTujY83_Xha2dZn7qvaCpZJw7xZ--b=-EOaYA@mail.gmail.com> <bf4506e7-13ce-ce7f-d20e-67a0d73c642a@akamai.com> <CAAF6GDePg9FL0JgzrWrTcrK7X=J0_fKjHVCj9EScvyQobJWTKA@mail.gmail.com> <20170613183536.GA12760@LK-Perkele-V2.elisa-laajakaista.fi> <63c8ac33-489c-0ace-d4ba-b960cd965281@akamai.com> <DM2PR21MB0091B8DC8780B4FA67464F0A8CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <20170613205530.GB13223@LK-Perkele-V2.elisa-laajakaista.fi> <e5ab9945-054b-67bf-beef-9fce7a4a6f36@nic.cz> <CAF8qwaCuDk3oemXeKyEzzRgg2oCMA22qMBXQaL4YW3yWAeXUvA@mail.gmail.com> <DM2PR21MB009176844759F65141E1D6EA8CC30@DM2PR21MB0091.namprd21.prod.outlook.com>
In-Reply-To: <DM2PR21MB009176844759F65141E1D6EA8CC30@DM2PR21MB0091.namprd21.prod.outlook.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 14 Jun 2017 22:23:54 +0000
Message-ID: <CAF8qwaCwHYJP3p569CAN-9Fmd_ddDjg9d9wPi8j3uSrno_wHyw@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>, Petr Špaček <petr.spacek@nic.cz>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c11e98e9e0b160551f302fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iiA_T6CtE_KH42rIiKwaiuFL2ZM>
Subject: Re: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 22:24:09 -0000

On Wed, Jun 14, 2017 at 5:01 PM Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

>
>    - What if the server receives data with the 0-RTT boundary spanning an
>    HTTP/2 frame? Is that a 0-RTT request? 1-RTT? Invalid?
>
> It appears safe to treat such data as 0-RTT; only the application can make
> this call, and it needs info from the TLS stack to make this call.
>

I actually would suggest it being 1-RTT. Or rather that a processing-time
check would count it as 1-RTT. Though I think I don't see anything
particularly wrong with it being 0-RTT either? *shrug*


>
>
>
>    - We could say that the application profile should modify the protocol
>    to reject such cases. Now, we’re taking on complexity in every protocol
>    specification and parser.
>
> It would of course be preferable (some would argue, necessary) to secure
> 0-RTT application_data at the TLS layer, but so far we’ve failed to come up
> with a way to do so.
>
>
>
>    - Our problem is a server wishes not to process some HTTP requests (or
>    other protocol units) at 0-RTT and needs to detect this case. So check a
>    boolean signal for whether the connection has currently passed the 1-RTT
>    point before any unsafe processing.
>
> I think this would be a valid implementation of #3. There may be other
> implementation options that make more sense for a different TLS API or a
> different application protocol, so I’d rather not put a specific
> implementation option in the RFC.
>

Sure, if that is the interpretation of #3, that works fine for me. My
objection is to trying to pass along a hard separation between the two
chunks of data, to the point that the sender actually cares about some data
getting sent *before* the boundary. Caring about some data being sent after
the boundary is very reasonable and natural. POSTs, perhaps. Before is
complex because you must synchronize and defer the boundary. The trouble is
a before constraint gets implied by lots of stuff.

Specifically, I would propose a looser phrasing for #3:

When accepting 0-RTT as a server, a TLS implementation SHOULD/MUST provide
a way for the application to determine if the client Finished has been
processed.

That is, it is not the identity of the bytes that matters much. It's
whether the connection has been confirmed when you perform an unsafe
action. I believe this still satisfies the properties we want, but without
breaking standard interfaces. Very near the TLS stack, at the point where
the record boundary abstraction starts leaking (it's common to only give
you back a single record on read), either API is equally easy to provide.
The looser phrasing is needed for composition once you start going up a
layer or to.

David

>

v2.23.0 | Report a Bug | By Email