Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Tommy Pauly <tpauly@apple.com> Sat, 01 February 2020 01:54 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B119120074 for <tls@ietfa.amsl.com>; Fri, 31 Jan 2020 17:54:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-J5OLVC03JV for <tls@ietfa.amsl.com>; Fri, 31 Jan 2020 17:53:58 -0800 (PST)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8006B120024 for <tls@ietf.org>; Fri, 31 Jan 2020 17:53:58 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.27/8.16.0.27) with SMTP id 0111qBUY051757 for <tls@ietf.org>; Fri, 31 Jan 2020 17:53:56 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : content-type : content-transfer-encoding : mime-version : subject : date : references : to : in-reply-to : message-id; s=20180706; bh=2EsSjlPljxWP7iSVAMcTISsMEkf4xQK0xWSL8HAh628=; b=k3hZX/ddc+sVTPA9DVmNWB6UOOttiUe8vFgH7cEJ3AyTJGo/4gzW6TJtYzNHKtTie7me MqeKOIQy8PkTE+bI4iAIaFUyK5nUuMnXAfb/WCVrvrlF9SjIoq7MRsxx3b7Qn8Z4An6G GNk/BAAhpB3kHLNuAbzMdWGRmbE4xv40+JwebBWzUmgWCgCaxMtoDgGq8sF35ZwpUNo2 pJu8bKo/mYE4SAJ0kHrC1wq1z3Hq9E/5BwEs78tULNUtlL5YJY3mz1roCrrSSqe5FnKP NkeZT3SLQcbF1cPIx0MzK6zAxIkhX3lwXGE12VYTNup9u3yYR7N2z96UQrG8lMaBckiM Xw==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 2xrnj3n29q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <tls@ietf.org>; Fri, 31 Jan 2020 17:53:56 -0800
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) with ESMTPS id <0Q500015S2LUVHE0@rn-mailsvcp-mta-lapp03.rno.apple.com> for tls@ietf.org; Fri, 31 Jan 2020 17:53:55 -0800 (PST)
Received: from process_milters-daemon.nwk-mmpp-sz11.apple.com by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0Q5000H002IVX200@nwk-mmpp-sz11.apple.com> for tls@ietf.org; Fri, 31 Jan 2020 17:53:54 -0800 (PST)
X-Va-A:
X-Va-T-CD: 3ab6cfbeef9fe0930bcbd49ada4d0cd2
X-Va-E-CD: 7f7e14a8463c26a765e1ab3769b5d901
X-Va-R-CD: 6a2bc58b15f70a522f15c151e4c2a302
X-Va-CD: 0
X-Va-ID: f2449301-87b0-4504-8eba-82e152537ec7
X-V-A:
X-V-T-CD: 3ab6cfbeef9fe0930bcbd49ada4d0cd2
X-V-E-CD: 7f7e14a8463c26a765e1ab3769b5d901
X-V-R-CD: 6a2bc58b15f70a522f15c151e4c2a302
X-V-CD: 0
X-V-ID: f9786c27-4620-4798-8909-082ce00af532
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2020-01-31_07:,, signatures=0
Received: from [17.230.168.109] by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0Q5000KXK2LUCG60@nwk-mmpp-sz11.apple.com> for tls@ietf.org; Fri, 31 Jan 2020 17:53:54 -0800 (PST)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: quoted-printable
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
Date: Fri, 31 Jan 2020 17:53:50 -0800
References: <CAN2QdAH7t4fPgBfBSO7Ni1As2bVB9QvCw1s9j0ggqvTRUATE8A@mail.gmail.com> <20200123021455.GA73491@straasha.imrryr.org> <87427017-551e-4633-a0d3-75f378879aa9@redhat.com> <20200123124055.GF73491@straasha.imrryr.org> <CACsn0cngxBQTB+Pfw6t_+qsSFb0Kf8mV1U1J1UTsPJiUk=vg0w@mail.gmail.com> <20200123193250.GD12073@localhost> <20200123210151.GG73491@straasha.imrryr.org> <5F5F670C-A0BD-4F38-BEFF-192C171EDAC1@apple.com> <20200131235533.GA18021@localhost> <CAChr6Sz6PEgQUQg8dB9Ym0z5_iRjmZE5g1hUCCgEOsA-7A=P-w@mail.gmail.com> <20200201011115.GB18021@localhost> <CAChr6SywucrTUsAeN6Aw26ufmhcB8txAmFVNGnUaeR3gG653VQ@mail.gmail.com> <4E7DC6E9-A04E-4016-A12A-CFC723E18219@dukhovni.org>
To: IETF TLS WG <tls@ietf.org>
In-reply-to: <4E7DC6E9-A04E-4016-A12A-CFC723E18219@dukhovni.org>
Message-id: <5E66E815-E649-4EE5-9780-AA2158F81744@apple.com>
X-Mailer: Apple Mail (2.3594.4.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-31_07:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kvMDdhPzXvRp6X3wIJhhXfo4oAY>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Feb 2020 01:54:00 -0000

Hi Viktor,

> On Jan 31, 2020, at 5:24 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> 
>> On Jan 31, 2020, at 8:15 PM, Rob Sayre <sayrer@gmail.com> wrote:
>> 
>> If the scope of a document can be continually expanded during last call, it can be indefinitely postponed.
> 
> I'm not proposing a change of scope.  The document specifies how a client
> and server negotiate the number of tickets the server should send.  This
> remains the case.  The -04 document leaves out a relevant scenario where
> the client does want tickets to be refreshed (so not unconditionally zero),
> but does not want gratuitous tickets (new one each time).
> 
> The scope of the document per the abstract includes the following:
> 
>   This extension aims to provide a means for
>   servers to determine the number of tickets to generate in order to
>   reduce ticket waste, while simultaneously priming clients for future
>   connection attempts
> 
> My proposal falls squarely in the "in order to reduce ticket waste" category.

The document also is focused on use cases that are all about "avoid[ing] ticket re-use". The security considerations state that "Ticket re-use is a security and privacy concern".

While there are some use cases in which ticket re-use allows the reduction of ticket waste, we cannot state that every possible approach to reduce ticket waste is in scope for this particular document. Rather, this document defines its scope as simply: "This document describes a mechanism by which clients can specify the desired number of tickets needed for future connections." Enabling ticket reuse is not part of that scope.

Beyond discussing scope creep, I think an even bigger reason to decouple the idea of ticket requests from explicit ticket re-use is the notion of working group consensus. I think the WG has clearly expressed consensus on the fact that ticket requests are a useful and non-harmful extension. Indeed, the proposals to add ticket reuse logic to ticket requests that you want relies on such an extension. However, the group certainly does not seem to have consensus on the idea that there should be an extension to allow ticket reuse. As an author, I don't know if I'd support that. Thus, the working group can progress with the tightly-scoped document that it has consensus on, and leave other use cases to future documents.

Thanks,
Tommy
> 
> -- 
> 	Viktor.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls