Re: [TLS] Followup on Update
Dave Garrett <davemgarrett@gmail.com> Wed, 25 February 2015 01:43 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 250FE1A8881 for <tls@ietfa.amsl.com>; Tue, 24 Feb 2015 17:43:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ4TlZO6uHdi for <tls@ietfa.amsl.com>; Tue, 24 Feb 2015 17:43:53 -0800 (PST)
Received: from mail-vc0-x234.google.com (mail-vc0-x234.google.com [IPv6:2607:f8b0:400c:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA8D01A877F for <tls@ietf.org>; Tue, 24 Feb 2015 17:43:53 -0800 (PST)
Received: by mail-vc0-f180.google.com with SMTP id im6so301628vcb.11 for <tls@ietf.org>; Tue, 24 Feb 2015 17:43:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id; bh=bO6N7KPc36EEqCQ4pdKZdkyoRkjT/cSCYy+TO0UcbRE=; b=z62MDxcnXnbTxZvWw3XaYkEL9MRt+2rQVXeFQC5nRFyPfNU+Q4gyGjpwDZvDAVgxRF 7Ywz4s6HqmJ5qvw/x1VG2ejudsyAClti+efHORf6peWRbJKG36BltE0QTld85XSPpyW5 IcUltklhfJgAB2Qi+c4CEiuFbSO+X5MavBpTDhQ2VjQTSMLPvYVaLbLTGMqILkxeQW90 u0t+f8Mz0uXX6CJaxGCawuzvW1SGxVWpbp9jIBfayuWGEkeX/QR2zlOC24xl3MkWU3XR jkcvv5v63APcQz4iAFjrDXVaceXMdB+j7EMEgXb39MVE0D98SSlkqSkf28lNWlUazqJc DXfg==
X-Received: by 10.52.155.104 with SMTP id vv8mr1142251vdb.64.1424828632889; Tue, 24 Feb 2015 17:43:52 -0800 (PST)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id rt15sm5618990vdb.12.2015.02.24.17.43.51 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 24 Feb 2015 17:43:51 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org, Eric Rescorla <ekr@rtfm.com>
Date: Tue, 24 Feb 2015 20:43:49 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-71-generic-pae; KDE/4.4.5; i686; ; )
References: <CABcZeBNLe+ffTPVi=i5xHCPL=eEKfM++RhjAf05S_sRwaAB72A@mail.gmail.com>
In-Reply-To: <CABcZeBNLe+ffTPVi=i5xHCPL=eEKfM++RhjAf05S_sRwaAB72A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201502242043.50128.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ikjRUsnqU8G3wYT8l2MUq9vizF0>
Subject: Re: [TLS] Followup on Update
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 01:43:55 -0000
On Tuesday, February 24, 2015 07:44:22 pm Eric Rescorla wrote: > Folks, > > I'd like to get a sense of the WG on whether they want to pursue the Update > mechanism [0]. > > There are several possibilities here, including: > > - Just do basic Update > - Move session ticket establishment to Update > - Mode client authentication to Update > > My sense from the discussion in HNL was that people were generally > positive on basic Update and unsure on the other two. If that's right, > I'll buff up PR#94 for merge into the spec (pending chair approval). > > Thanks, > -Ekr > > > [0] See https://github.com/tlswg/tls13-spec/pull/94 for a WIP > version of the basic mechanism. The current proposal says: "An implementation MAY send an UpdateRekey at any time after the handshake completes." Is there a particular reason to not just have an automatic rekey at semi-regular intervals? So, every N records or M minutes (or whichever comes first) an endpoint must send a rekey, and then after a similarly measured interval the other endpoint sends a rekey; repeat ad infinitum. This would also ensure entropy for rekeying comes from both endpoints equally over the course of the connection. I would expect it would be better to not rely on implementations all designing their own heuristics on when to send rekey updates, and also would avoid multiple updates being sent at the same time by each endpoint (and the possible pitfalls of doing so). Dave
- [TLS] Followup on Update Eric Rescorla
- Re: [TLS] Followup on Update Dave Garrett
- Re: [TLS] Followup on Update Eric Rescorla
- Re: [TLS] Followup on Update Martin Thomson
- Re: [TLS] Followup on Update Dave Garrett
- Re: [TLS] Followup on Update Ilari Liusvaara
- Re: [TLS] Followup on Update Watson Ladd
- Re: [TLS] Followup on Update Joseph Salowey
- Re: [TLS] Followup on Update Eric Rescorla
- Re: [TLS] Followup on Update Dave Garrett