Re: [TLS] Separate APIs for 0-RTT
Andrei Popov <Andrei.Popov@microsoft.com> Tue, 13 June 2017 16:19 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 171B512E870 for <tls@ietfa.amsl.com>; Tue, 13 Jun 2017 09:19:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBAzNkJhatcU for <tls@ietfa.amsl.com>; Tue, 13 Jun 2017 09:19:35 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0139.outbound.protection.outlook.com [104.47.42.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF2E4131B35 for <tls@ietf.org>; Tue, 13 Jun 2017 09:12:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=R2E/ct8nRRocgKYOMJM/z08bdLmGAeFvflO6EAmNJUI=; b=DTG0YrDZzCzIi0A9e4kJtMIx+KKFkb04Cz4QsvfA/S4G9HtY05RBTHky9E05MKz+/1EdONcb/8ztNaRtDm0921+JcYttSKAAcfWgUCRhg4CMG9w0vPXj9lPJIbvIX8kXym8YmTKjO7iCzOHrymZdult34IkgQQ4nQxRBcm2x64Y=
Received: from DM2PR21MB0091.namprd21.prod.outlook.com (10.161.141.14) by DM2PR21MB0105.namprd21.prod.outlook.com (10.161.141.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1178.0; Tue, 13 Jun 2017 16:12:13 +0000
Received: from DM2PR21MB0091.namprd21.prod.outlook.com ([fe80::2d6d:96d3:f164:d70f]) by DM2PR21MB0091.namprd21.prod.outlook.com ([fe80::2d6d:96d3:f164:d70f%15]) with mapi id 15.01.1199.000; Tue, 13 Jun 2017 16:12:13 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, "Salz, Rich" <rsalz@akamai.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Separate APIs for 0-RTT
Thread-Index: AQHS5B82VxUJW2RS/kmCucGOID4L7aIit00AgAABTICAAD1wkA==
Date: Tue, 13 Jun 2017 16:12:13 +0000
Message-ID: <DM2PR21MB00916718A71749E5D2CB19C38CC20@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CABcZeBPkRhjLNT2QKO+DgfjE8-e-KrJ5XOLbA9bR24R1Fd96MQ@mail.gmail.com> <0a4f3f85fa80423ea72d3eec4c7710aa@usma1ex-dag1mb1.msg.corp.akamai.com> <CABcZeBMpeBhcKoJYuMwLyER0VBh+RtVr6amWMPos3CJipXYHcA@mail.gmail.com>
In-Reply-To: <CABcZeBMpeBhcKoJYuMwLyER0VBh+RtVr6amWMPos3CJipXYHcA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:b::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM2PR21MB0105; 7:3/0nddWukhtb+gue8uIWLc1Tq/E1SnMoQ04B/93LKaLvls5TUAFqWcFdTa83M9kLMrompYkV3Rg2yWmmZy2VzTCbgSgq1qrEb/df52/vW4vvyD03Q24PgHI6XMfo4Eo5w6UGoj3yf6WDNTqUjrC6wVRHQ/g9jZE27C4crpRjKJ8Onu26oDkU6Cg8oe2bgawy+k0lkmWuN9lOtWsZwOn18Ahqt0ZTx4NUHzZD3JFEpSYYfDRtums8tkdywy7bqkmAjXC1MUsWSjUfhCJd53KOkb8DCd2ehZzUbAb4VbtMaie/N781kviYLtDiHqCKdtzIyyP7P51JDolSgch0V84eWwmKihFsd3aHGOyYPyL3aFUwzN106pgX48fNAA3by3G6NBt01vn6F8bejtbc3eSpyaCGVJsQpM8YIRYTGrnel2gmIh1Op22ggExcSW/96TI0kKC12995evFx7XSqqemSCrbvWjmc8yoAeGd9ybeT/MqLRIv3VlwsFMvMH+D+9q3p7GQpGH88tcqvW2lzvvCpqVO50smrmOuqG32gW1+fk2BBo7qai11LTx6+bKR+7tGEiY341WvfrrezUJfIV156BIGMyy0uFYdN2JqS68j0TfZoEHuVHvkYmYoryAcRQFpKQWZOpASHVQeBvblKko54zN3M2sXh3Yc2R6/qZz1KhXBVMjVKdMFrkyyVr06IbzIYR9sfN55/pPDn+DsxoyP0c5OUs+NfTyC494/ohB1fGEprZHF9VHG4zYNLdQ4gbIFnBYFeEcIQGUQnyCK6OXPTxayX5l3ATm+s7VTHWBV1Cig2uafJ0451QrBxC4q8R4NH
x-ms-office365-filtering-correlation-id: 4386c3dd-28e9-4190-efc3-08d4b276f3d5
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081); SRVR:DM2PR21MB0105;
x-ms-traffictypediagnostic: DM2PR21MB0105:
x-microsoft-antispam-prvs: <DM2PR21MB0105D4DB55EE0E18A0CE81BF8CC20@DM2PR21MB0105.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(100405760836317)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123558100)(201703131423075)(201703061421075)(201703161042150)(20161123564025)(20161123555025)(20161123560025)(6072148)(6042181)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR21MB0105; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR21MB0105;
x-forefront-prvs: 0337AFFE9A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(24454002)(377454003)(51914003)(189002)(72206003)(790700001)(6436002)(97736004)(53936002)(19609705001)(3280700002)(86362001)(10090500001)(68736007)(101416001)(54356999)(76176999)(50986999)(498600001)(4326008)(6246003)(14454004)(53546009)(10290500003)(229853002)(6116002)(5005710100001)(86612001)(25786009)(38730400002)(106356001)(6306002)(55016002)(54896002)(6506006)(189998001)(3660700001)(81166006)(105586002)(5250100002)(7736002)(2950100002)(236005)(8676002)(74316002)(102836003)(81156014)(5660300001)(33656002)(2900100001)(7696004)(2906002)(8990500004)(8936002)(99286003)(9686003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR21MB0105; H:DM2PR21MB0091.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR21MB00916718A71749E5D2CB19C38CC20DM2PR21MB0091namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jun 2017 16:12:13.1810 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR21MB0105
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/k4Bg0hC4XH8YmhXIekfzAgfeoQQ>
Subject: Re: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 16:19:38 -0000
Correct, I’m planning a separate API surface for 0-RTT, as OpenSSL did. WRT RFC language, perhaps a reasonable compromise would be to say that a TLS implementation SHOULD only enable 0-RTT application data upon explicit opt-in by the application? This is more flexible and may involve separate APIs, new off-by-default flags in the existing APIS, whatever else makes sense for a particular TLS implementation… Cheers, Andrei From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Eric Rescorla Sent: Tuesday, June 13, 2017 5:27 AM To: Salz, Rich <rsalz@akamai.com> Cc: tls@ietf.org Subject: Re: [TLS] Separate APIs for 0-RTT On Tue, Jun 13, 2017 at 1:22 PM, Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>> wrote: Microsoft also has a separate API for 0RTT data. I would characterize things as the two most popular browsers have stated their intention to have a single API, and the two most popular system libraries have two. Outlier is clearly wrong. I did not know that about Microsoft. Thanks for the update. I take back "outlier" I agree we don’t have consensus, but do make sure that any wording change accommodates the fact that the split isn’t all-versus-one. I was intending to use wording that was neutral between the two options without any claims about popularity. Thanks, -Ekr
- [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Salz, Rich
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Steven Valdez
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Loganaden Velvindron
- Re: [TLS] Separate APIs for 0-RTT Benjamin Beurdouche
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Petr Špaček
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Brian Sniffen
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Martin Thomson
- Re: [TLS] Separate APIs for 0-RTT Timothy Jackson
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Yoav Nir