Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt

Daniel Migault <> Wed, 02 October 2019 22:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 92EF1120059 for <>; Wed, 2 Oct 2019 15:00:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.477
X-Spam-Status: No, score=-1.477 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.172, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 13ouKJK8S17f for <>; Wed, 2 Oct 2019 15:00:27 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7977312006F for <>; Wed, 2 Oct 2019 15:00:27 -0700 (PDT)
Received: by with SMTP id z14so267406vsz.13 for <>; Wed, 02 Oct 2019 15:00:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rAlZUQ9Htvz6yQgNTNy24+j2a70c3XnJ1dqzX575tHg=; b=eBHBJQqUvLUsnAKu9b1l+FWgq068KbDV80dR8qt4WbNZ+0MKo7kzA08/1qkL5slyHn TdYiv3zZQYsUuXW9ww40/GQzPxDCZtlHZ65Jnp/tuPVTojtVYVhggLZZi2toYH7NxKJJ lbKBLMSUrRelrFiSQASAlzOvq9X+cA8NwolfcLn8vBSElHfwPbeT0QGPRTQANU1ojURH mY8fHfAVPClTFxCa783Sav/T6H5m9q7dUskMwTisUuz0Y8h8nQEa++E5ghdFYBxY9yRQ HW2kCDicy9wmRUWk+qNwUfDPA7JvmTVAjbl33EENb/ZLQZ81T4jciqlZ+6jyn7adn5O3 vcZA==
X-Gm-Message-State: APjAAAUVgADn/iedIViu3eHhd64KhCtk57AvSorlHSxC6IV8fO0KmLYm Nso5x2x1GSfZKqbTDoOFNzqOX8yqMPJkH67fLMiO5A4RJaU=
X-Google-Smtp-Source: APXvYqwKWGsSztd8rdVQvexAY15zFuwPcB855VVn0atgxbImxtxhvEAf0ub6nLMEgkXTkAeSohSmeOZ4dyPjXxV6XUQ=
X-Received: by 2002:a67:3355:: with SMTP id z82mr3488397vsz.169.1570053626494; Wed, 02 Oct 2019 15:00:26 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: Daniel Migault <>
Date: Wed, 2 Oct 2019 18:00:15 -0400
Message-ID: <>
To: Christopher Wood <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="000000000000af829d0593f49827"
Archived-At: <>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Oct 2019 22:00:30 -0000


Please see my comments.

On Wed, Oct 2, 2019 at 4:55 PM Christopher Wood <> wrote:

> Hi Daniel,
> Please see inline below.
> On Wed, Oct 2, 2019, at 1:42 PM, Daniel Migault wrote:
> > Hi,
> >
> > Please find some comments on the draft.
> >
> > In the introduction, I believe both limitations may be merged into one
> > limitation which is the number of ticket is a server only decision. The
> > purpose of the extension is the client providing information so the
> > server can pick the appropriated number.
> I'd prefer we didn't merge them, though admittedly I don't feel strongly
> about this one way or the other.
> > I find "choose" and "hard-coded" a bit contradicting. If the server
> > uses a hard coded value for the number of tickets, then I would
> > understand the limitation as the server being unable to chose a value
> > per client or per connection. This seems to me an implementation
> > limitation and so maybe out of scope of the extension. If it is able to
> > choose that number, the limitation is that it is a server only
> > decision.
> Indeed. I think this is fairly clear from the draft. How would you suggest
> this be clarified?
The draft does not seem, in my opinion, to address the case when values are
hard coded. OK hardcoded is just there to expose it cannot chose the value.
It is fine.

> > I understand the meaning of count is the higher limit of ticket and the
> > server can provides any tickets between 0 and count. If that is
> > correct, this could be clearly stated and indication to chose an
> > appropriated value for each cases may be provided.
> The document states this:
>    A supporting server MAY vend TicketRequestContents.count
>    NewSessionTicket messages to a requesting client, and SHOULD NOT send
>    more than TicketRequestContents.count NewSessionTicket messages to a
>    requesting client.
> Is this not sufficient clear? If not, how can it be improved?
> > I would rather see the count value as a hard line from the server with
> > a MUST NOT instead of a SHOULD NOT statement.
> As this is merely a hint from the client, I don't think this is necessary.
> I believe we could be more specific than a hint, and a server supporting
the extension MUST NOT send more tickets then specified. This is what is
expected when count is set to 0.

> > My reading of 8446 is that NewSessionTicket messages can be sent at
> > multiple time during or after the handshake. If that is correct, it
> > seems to me quite complex to track the number of tickets that had been
> > sent. Typically, if I have to send them at different time how much
> > would I send at each flight. I would rather consider the min(count,
> > server_limit) as the number of tickets in any batch of NewSessionTicket
> > messages. We may also ask the client to only keep the latest batch of
> > tickets and delete the others previously sent tickets.
> This behavior is orthogonal to the intent of the hint. Imagine, for
> example, clients sent no hint and servers decided to do what you describe
> above. The same issues would still exist (tracking some count sent on the
> server, deciding which tickets to use on the client, etc.). Thus, I don't
> think this would add much value.
> If the servers receives a count value and sends tickets right after the
Finished message and after the post handshake authentication. How many
messages do you expect to be sent at each round?  I suggested to have count
at each round, as the server does not know how the client expects to use
these tickets. I have the impression the current text says count.

> >
> > The ability to request 255 tickets with one byte can be seen as an
> > amplification vector, especially when a server sends directly the
> > tickets after its Finished message. I believe that additional text in
> > the security consideration could be added.
> The text lists this:
>    Servers SHOULD place a limit on the number of tickets they are willing
> to vend to clients.
> The draft mentions limitation of tickets to avoid computation of the
server, and I was reading the limit as to limit that computation, in which
case the limit addresses server's resource exhaustion. What I meant was the
use of the extension with a spoofed IP address.

> Though we can add a parenthetical to indicate that failure to do so may
> result in doing more work that intended.
> Thanks for the feedback!
> Best,
> Chris
> _______________________________________________
> TLS mailing list