Re: [TLS] Separate APIs for 0-RTT
David Benjamin <davidben@chromium.org> Wed, 14 June 2017 22:24 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F584127077 for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 15:24:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xNLFNUBhrZWJ for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 15:24:07 -0700 (PDT)
Received: from mail-pg0-x22e.google.com (mail-pg0-x22e.google.com [IPv6:2607:f8b0:400e:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE17F120724 for <tls@ietf.org>; Wed, 14 Jun 2017 15:24:06 -0700 (PDT)
Received: by mail-pg0-x22e.google.com with SMTP id a70so6027292pge.3 for <tls@ietf.org>; Wed, 14 Jun 2017 15:24:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=CL3t9OdUYFx0grBYdW7G1AaYpqMoSZX6zn6pqO+rwt8=; b=TVFgNa7tszTjw1ILUt3tt9C45EXS5GjDyw3LUfBIZrkHYKWZSGDQ5SYRK5rDLw5uUi 8PL35VyzVELwUu/2U90UAU3vROhgWWqyI6Do7AEDvJWnuX/sMFXqU3hC3rfr/aJsrUIY tOMbe5eyflKuOzbxNGTqza/cHPhJXw2Q8sO34=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=CL3t9OdUYFx0grBYdW7G1AaYpqMoSZX6zn6pqO+rwt8=; b=kOBlVW6PP8fpxbIvYugXzAiqL50GEL5B/o6zKdji1rUbpsJE65kxJnlT99TP6WQxln atfHqQuWgUZ8H2VGFSxGv3H9u4tIh4lE0rg2Rj8JZaahyUVzocUHEzd5fwNUedvs2iqg +C6G3Gl5zsi+Bd/BlXU8ty3x2bwgo4uzf80hlKzbQxhUOas/3c4EoEQGeIxI2tQm2Im+ kNBqVl14b4R+FdJdaoGhYEo5TvXg/TfcFqKrqI0BvaoDRTAVb5eOqOjon55SPGWIXk4N bQQhkq/PcORqhrIdh/wqNTASy949Xo8G7n08e6Y8dWqTCPFe1zEZpSOFL7zFMTNFQz/L XPdA==
X-Gm-Message-State: AKS2vOyba6CCW8tKfhaTPqGOLfszkDCUqnzdH0WtspzQZ/spQUCRU0GF FbSJINzKVtLdALUX9HojBUJa2KmpZAICe8k=
X-Received: by 10.84.128.33 with SMTP id 30mr2559100pla.38.1497479046344; Wed, 14 Jun 2017 15:24:06 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMpeBhcKoJYuMwLyER0VBh+RtVr6amWMPos3CJipXYHcA@mail.gmail.com> <DM2PR21MB00916718A71749E5D2CB19C38CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <CABcZeBO+Qprg4DTwNJrFU1PXDPyKbbdakMrF9fhe02jRL50cow@mail.gmail.com> <8e206c83-645f-6389-a7bd-ddd51e747ea2@akamai.com> <CAAF6GDfyqMndibTujY83_Xha2dZn7qvaCpZJw7xZ--b=-EOaYA@mail.gmail.com> <bf4506e7-13ce-ce7f-d20e-67a0d73c642a@akamai.com> <CAAF6GDePg9FL0JgzrWrTcrK7X=J0_fKjHVCj9EScvyQobJWTKA@mail.gmail.com> <20170613183536.GA12760@LK-Perkele-V2.elisa-laajakaista.fi> <63c8ac33-489c-0ace-d4ba-b960cd965281@akamai.com> <DM2PR21MB0091B8DC8780B4FA67464F0A8CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <20170613205530.GB13223@LK-Perkele-V2.elisa-laajakaista.fi> <e5ab9945-054b-67bf-beef-9fce7a4a6f36@nic.cz> <CAF8qwaCuDk3oemXeKyEzzRgg2oCMA22qMBXQaL4YW3yWAeXUvA@mail.gmail.com> <DM2PR21MB009176844759F65141E1D6EA8CC30@DM2PR21MB0091.namprd21.prod.outlook.com>
In-Reply-To: <DM2PR21MB009176844759F65141E1D6EA8CC30@DM2PR21MB0091.namprd21.prod.outlook.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 14 Jun 2017 22:23:54 +0000
Message-ID: <CAF8qwaCwHYJP3p569CAN-9Fmd_ddDjg9d9wPi8j3uSrno_wHyw@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>, Petr Špaček <petr.spacek@nic.cz>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c11e98e9e0b160551f302fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iiA_T6CtE_KH42rIiKwaiuFL2ZM>
Subject: Re: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 22:24:09 -0000
On Wed, Jun 14, 2017 at 5:01 PM Andrei Popov <Andrei.Popov@microsoft.com> wrote: > > - What if the server receives data with the 0-RTT boundary spanning an > HTTP/2 frame? Is that a 0-RTT request? 1-RTT? Invalid? > > It appears safe to treat such data as 0-RTT; only the application can make > this call, and it needs info from the TLS stack to make this call. > I actually would suggest it being 1-RTT. Or rather that a processing-time check would count it as 1-RTT. Though I think I don't see anything particularly wrong with it being 0-RTT either? *shrug* > > > > - We could say that the application profile should modify the protocol > to reject such cases. Now, we’re taking on complexity in every protocol > specification and parser. > > It would of course be preferable (some would argue, necessary) to secure > 0-RTT application_data at the TLS layer, but so far we’ve failed to come up > with a way to do so. > > > > - Our problem is a server wishes not to process some HTTP requests (or > other protocol units) at 0-RTT and needs to detect this case. So check a > boolean signal for whether the connection has currently passed the 1-RTT > point before any unsafe processing. > > I think this would be a valid implementation of #3. There may be other > implementation options that make more sense for a different TLS API or a > different application protocol, so I’d rather not put a specific > implementation option in the RFC. > Sure, if that is the interpretation of #3, that works fine for me. My objection is to trying to pass along a hard separation between the two chunks of data, to the point that the sender actually cares about some data getting sent *before* the boundary. Caring about some data being sent after the boundary is very reasonable and natural. POSTs, perhaps. Before is complex because you must synchronize and defer the boundary. The trouble is a before constraint gets implied by lots of stuff. Specifically, I would propose a looser phrasing for #3: When accepting 0-RTT as a server, a TLS implementation SHOULD/MUST provide a way for the application to determine if the client Finished has been processed. That is, it is not the identity of the bytes that matters much. It's whether the connection has been confirmed when you perform an unsafe action. I believe this still satisfies the properties we want, but without breaking standard interfaces. Very near the TLS stack, at the point where the record boundary abstraction starts leaking (it's common to only give you back a single record on read), either API is equally easy to provide. The looser phrasing is needed for composition once you start going up a layer or to. David >
- [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Salz, Rich
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Steven Valdez
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Loganaden Velvindron
- Re: [TLS] Separate APIs for 0-RTT Benjamin Beurdouche
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Petr Špaček
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Brian Sniffen
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Martin Thomson
- Re: [TLS] Separate APIs for 0-RTT Timothy Jackson
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Yoav Nir