IETF Logo Mail Archive

Re: [TLS] Ticket request PR#20

Benjamin Kaduk <bkaduk@akamai.com> Fri, 01 May 2020 18:19 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 254F43A1937 for <tls@ietfa.amsl.com>; Fri, 1 May 2020 11:19:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FCbyK_36eo3h for <tls@ietfa.amsl.com>; Fri, 1 May 2020 11:19:01 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFB183A1916 for <tls@ietf.org>; Fri, 1 May 2020 11:19:01 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 041IITDZ017196 for <tls@ietf.org>; Fri, 1 May 2020 19:19:01 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : subject : message-id : references : mime-version : content-type : content-transfer-encoding : in-reply-to; s=jan2016.eng; bh=e2SRtzR1AiWM/NZZSnyooxlvJIrEyle9SkOsSZtju20=; b=pI88V57uCluRaB/Yt+Ohjbp6K7hbuGT+R/Rk+hSHxBeLwhcyAHgfI3HlsVCPlXtzxOYN PCnqIqBnCDbJNzzJkaA8omaGxg1k4qTIOmBEpwW00J3xk/cBX7SmugN3fBx8s7bEYh9a td/BbdepMmoQCiG9QsltKMlAiTkGUY4pbhXKj+o98dVlMKyWHsD2ILerTh3OpxdXLojW 31lj9gbe1H0X57zVc0ggleObstb1ByDEewS9ArUzaFemgzJOzuPBEKAYxvm2fY+N3CmB Nh1HU9rzrrFuID76CZboc78+asMi1zDXlMp9pCHqREaEnidMKCfrWg/aPvemncrvjpiC tg==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 30r7jqb6h6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Fri, 01 May 2020 19:19:01 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.27/8.16.0.27) with SMTP id 041IIM3F027953 for <tls@ietf.org>; Fri, 1 May 2020 14:19:00 -0400
Received: from prod-mail-relay11.akamai.com ([172.27.118.250]) by prod-mail-ppoint2.akamai.com with ESMTP id 30mghwqc0d-1 for <tls@ietf.org>; Fri, 01 May 2020 14:18:59 -0400
Received: from akamai.com (sea-lp9yo.kendall.corp.akamai.com [172.19.16.134]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 89F7B21B76 for <tls@ietf.org>; Fri, 1 May 2020 18:18:59 +0000 (GMT)
Date: Fri, 01 May 2020 11:18:58 -0700
From: Benjamin Kaduk <bkaduk@akamai.com>
To: tls@ietf.org
Message-ID: <20200501181858.GF3811@akamai.com>
References: <20200419222318.GY41308@straasha.imrryr.org> <CBE68A19-EBBE-4BF6-97B0-F6CEE9A90363@sn3rd.com> <20200501181131.GA76674@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20200501181131.GA76674@straasha.imrryr.org>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-05-01_11:2020-05-01, 2020-05-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=958 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2002250000 definitions=main-2005010139
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-05-01_11:2020-05-01, 2020-05-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 bulkscore=0 mlxlogscore=962 suspectscore=1 clxscore=1011 impostorscore=0 spamscore=0 lowpriorityscore=0 adultscore=0 malwarescore=0 priorityscore=1501 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005010139
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mgIBJIUeEWU8gkZSLdB7Yx5Fk9U>
Subject: Re: [TLS] Ticket request PR#20
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 18:19:10 -0000

Hi Viktor,

On Fri, May 01, 2020 at 02:11:31PM -0400, Viktor Dukhovni wrote:
> On Fri, May 01, 2020 at 01:03:58PM -0400, Sean Turner wrote:
> 
> > We recommend that PR#20 be closed and we will progress the draft to
> > Ben for his AD review. The suggested text is not strictly needed. As
> > the name of the draft suggests, the client’s ticket requests are just
> > that a request for tickets. The server is free to do whatever it wants
> > with the request.
> 
> This is unfortunate, because there's an opportunity here to specify
> an extensible extension that could later be refined to support
> reuse at negligible cost to the "complexity" of the specification,
> indeed all the server has to do is issue at least one ticket like
> it always did, unless both counters are zero.
> 
> I've agreed to defer actual consideration of reuse to a separate draft,
> but this preëmptively shuts the door on getting that done, without
> requiring a second largely redundant extension that would have to modify
> the meaning of {0,1} to make the "1" be "as needed".  Now server that
> (hypothetically) are willing to support reuse will have to consider the
> interplay of two separate related extensions, which is definitely more
> complex.
> 
> Declining this comes across hostile to me.  I read the objections to
> "only {0, 0} means zero" as a blocking counter-measure against the
> deferred discussion, and not a material objection on the merits. :-(

I don't think it's right to say that "only {0,0} means zero" -- after all,
this is a *request*, not a command from the client to the server.
In particular, I see it as an indication of what the client wants in order
to meet the client's policy for (non-)reuse, but when the server's policy
is different, the server can and should diverge from the client's request.
This divergence can occur in either direction (more or fewer tickets issued).

Since the signal we're sending is merely advisory, it seems more prudent
to leave discussion of what a server should do when it receives specific
values as guidance for what factors a server logic should take into account
rather than trying to assign specific semantics to pairs of values that are
advisory in the first place.  I think what people are objecting to is
trying to assign precise semantics to specific pairs of values when the
individual values themselves do not have such precise semantics.

I would need to go and re-read the text to be sure (and I guess I'll have
to when it gets to me for AD evaluation), but expect that some discussion
of how client policy can mismatch with server policy to be appropriate;
I expect to have more concrete text suggestions as part of my AD review.

Thanks,

Ben

v2.23.0 | Report a Bug | By Email