Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Nico Williams <nico@cryptonector.com> Thu, 23 January 2020 19:33 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57A05120AAB for <tls@ietfa.amsl.com>; Thu, 23 Jan 2020 11:33:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y9GCXCfPRtGh for <tls@ietfa.amsl.com>; Thu, 23 Jan 2020 11:33:01 -0800 (PST)
Received: from anteater.elm.relay.mailchannels.net (anteater.elm.relay.mailchannels.net [23.83.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13B8B1209FA for <tls@ietf.org>; Thu, 23 Jan 2020 11:33:00 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D0183501790; Thu, 23 Jan 2020 19:32:59 +0000 (UTC)
Received: from pdx1-sub0-mail-a44.g.dreamhost.com (100-96-60-161.trex.outbound.svc.cluster.local [100.96.60.161]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 647FB501CA1; Thu, 23 Jan 2020 19:32:59 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a44.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.5); Thu, 23 Jan 2020 19:32:59 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Left-Skirt: 501a990b0550eeb8_1579807979655_3897468470
X-MC-Loop-Signature: 1579807979654:3248628063
X-MC-Ingress-Time: 1579807979654
Received: from pdx1-sub0-mail-a44.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a44.g.dreamhost.com (Postfix) with ESMTP id 7DE8F7F709; Thu, 23 Jan 2020 11:32:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=yXA9bEP8Z+Kdeg xYFjOklHjpi6Q=; b=u0JjTZ+9tulIziZD1J6sEzYyG94uz9wpPqj6yp0mfQFWm9 To4uCLxUw5cVj/SCzw32ItX2ahao73wU0ZowTY8qHS3PP4Yo9OYeQ65b2gwfujfu CwtE9QKpMamB5cjE7ZiiTuFKNyZWnUjITiswsr4lPjviIVojA4WfpLnj0IdIg=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a44.g.dreamhost.com (Postfix) with ESMTPSA id 9763C7F20C; Thu, 23 Jan 2020 11:32:53 -0800 (PST)
Date: Thu, 23 Jan 2020 13:32:51 -0600
X-DH-BACKEND: pdx1-sub0-mail-a44
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: TLS List <tls@ietf.org>
Message-ID: <20200123193250.GD12073@localhost>
References: <20200121055411.GJ73491@straasha.imrryr.org> <97de6364-c628-45aa-8613-ba1a32cc41b2@www.fastmail.com> <A5448AC9-6EBB-48F9-A1B0-A787FBBCFF05@akamai.com> <08A4B0CD-9903-4027-B672-E8C7AFB34B4D@akamai.com> <20200123005528.GA12073@localhost> <CAN2QdAH7t4fPgBfBSO7Ni1As2bVB9QvCw1s9j0ggqvTRUATE8A@mail.gmail.com> <20200123021455.GA73491@straasha.imrryr.org> <87427017-551e-4633-a0d3-75f378879aa9@redhat.com> <20200123124055.GF73491@straasha.imrryr.org> <CACsn0cngxBQTB+Pfw6t_+qsSFb0Kf8mV1U1J1UTsPJiUk=vg0w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACsn0cngxBQTB+Pfw6t_+qsSFb0Kf8mV1U1J1UTsPJiUk=vg0w@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrvddvgdekudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/katIMU9Jr2Kliuq1ygWindh0IRY>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 19:33:03 -0000

On Thu, Jan 23, 2020 at 09:43:21AM -0800, Watson Ladd wrote:
> Sending a new ticket doesn't force clients to store it.

Sure, but if the old ticket will not be accepted again then the client
will incur a full handshake later.  The client doesn't know if the old
ticket will or will not be accepted again.  Extending the protocol to
have the server signal that bit will require new OpenSSL extensions,
which is why that is not a sufficiently good response to the Postfix
issue.

Nico
--