IETF Logo Mail Archive

Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)

Karthik Bhargavan <karthikeyan.bhargavan@inria.fr> Fri, 25 March 2016 19:02 UTC

Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B973012D15B for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:02:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ViFM33BytqPT for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:02:25 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9128F12D18B for <tls@ietf.org>; Fri, 25 Mar 2016 12:02:24 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.24,392,1454972400"; d="scan'208";a="170873518"
Received: from 89-156-8-219.rev.numericable.fr (HELO [192.168.0.51]) ([89.156.8.219]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 25 Mar 2016 20:02:22 +0100
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
In-Reply-To: <CAAF6GDefiSCnggjgQJT3NG0DJMC2SDJ=r__npg5L6ycicuzpJQ@mail.gmail.com>
Date: Fri, 25 Mar 2016 20:02:22 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <4B85487A-850B-4347-80A7-A3A4D92593E6@inria.fr>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr> <CAAF6GDefiSCnggjgQJT3NG0DJMC2SDJ=r__npg5L6ycicuzpJQ@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lKRVHIUF8ViWUxMuEX8WOwgr1Ac>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 19:02:26 -0000

> +1 but I think we can go further here and specify 0RTT in such a way that it only works when the server maintains state, and so that any given 0RTT ticket may only be used once (to preserve forward secrecy as much as possible within the constrains of 0RTT). 

Do you envision clients only having one resumption handshake at a time? I was under the impression that TLS 1.2 clients typically open multiple
resumption handshakes in parallel, and that TLS 1.3 clients would want to do the same.

> 
> -- 
> Colm

v2.23.0 | Report a Bug | By Email