Re: [TLS] Unifying tickets and sessions

Stephen Checkoway <s@pahtak.org> Thu, 23 October 2014 19:36 UTC

Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Stephen Checkoway <s@pahtak.org>
In-Reply-To: <20141023183637.GX19158@mournblade.imrryr.org>
Date: Thu, 23 Oct 2014 15:35:59 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <03546F3D-816C-481A-A577-9797855A9DED@pahtak.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <54483C33.4000702@polarssl.org> <11886639.VyNDkQ3oKj@pintsize.usersys.redhat.com> <54493904.7010807@fussenegger.info> <20141023174537.GW19158@mournblade.imrryr.org> <5449463D.7080904@fussenegger.info> <20141023183637.GX19158@mournblade.imrryr.org>
To: tls@ietf.org
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jd9vSnFm7z16PZZ1l87lABGgzZ0
Subject: Re: [TLS] Unifying tickets and sessions
Precedence: list

On Oct 23, 2014, at 2:36 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:

> The number of key sets is irrelevant, all that matters is how long
> each one is retained.  Postfix defaults to 2 hours (1 hour encrypt
> and 1 hour decrypt).  With N keysets, you'd have (T encrypt, (N-1)*T
> decrypt).

This seems perfectly reasonable (both for general N and for specific N = 2 or N = 3). But does it make any difference from a protocol perspective? The only way a client could tell if a server is doing something wrong is if the client knows the upper limit on the ticket's validity  NT and sends a ticket after that time which the server accepts.

I'm probably missing something but it seems like there's no real way to detect if the server has followed any particular policy for a ticket so the details (such as key rotation and symmetric algorithm strength) should be left entirely up to the server. (Or resumption should be dropped from 1.3.)

Giving guidance seems reasonable. Setting unenforceable limits does not.

-- 
Stephen Checkoway

[TLS] Unifying tickets and sessions Salz, Rich
Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Brian Smith
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Martin Thomson
Re: [TLS] Unifying tickets and sessions Brian Smith
Re: [TLS] Unifying tickets and sessions Salz, Rich
Re: [TLS] Unifying tickets and sessions Salz, Rich
Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
Re: [TLS] Unifying tickets and sessions Martin Thomson
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions David Leon Gil
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions David Leon Gil
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Ryan Carboni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Ryan Carboni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Salz, Rich
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Martin Thomson
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Aaron Zauner
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions Aaron Zauner
Re: [TLS] Unifying tickets and sessions Douglas Stebila
Re: [TLS] Unifying tickets and sessions Blumenthal, Uri - 0558 - MITLL
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Stephen Checkoway
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions Joseph Salowey
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
Re: [TLS] Unifying tickets and sessions David Leon Gil