Re: [TLS] Separate APIs for 0-RTT
Eric Rescorla <ekr@rtfm.com> Tue, 13 June 2017 11:04 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 874501315BB for <tls@ietfa.amsl.com>; Tue, 13 Jun 2017 04:04:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qo1L6hRdVrHQ for <tls@ietfa.amsl.com>; Tue, 13 Jun 2017 04:04:35 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 055EC131556 for <tls@ietf.org>; Tue, 13 Jun 2017 04:02:04 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id v7so30280912ywc.2 for <tls@ietf.org>; Tue, 13 Jun 2017 04:02:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=aPtF/sYdeHmZFB0LePlKGKcaBKRlmJk0+NKyfq2FnJs=; b=0XD10h8uCAJXsKmJSZ90jzvx5ED+tkP3GzXhWJr+7975OeqYkPjKTuCRzVBmNJNKSP LkMknPzBMrxr3nx5FRHJRtOcYgkv2quaQr1Q2yYmadQKBVRikyekj327VsB0v67w5vYZ /Kacw1raxgTKBNglH21Kq/nXSWJB4Kr1HCaPhBvoD/3jbM/rBucBYS2/vJY7aGKmjcol CCwSb6ULhHL2tU4xGM6rdpHBUgXvBFbiVn0MwsDFrv2i0NA64WAe+ZiYK968mtUsfYpi qifvsjsckBuTpViC21Tqj8mroHuFqhNsdUVIvVhLBdtMrOki58aEe/zdG1VYWqeXttgA DDTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=aPtF/sYdeHmZFB0LePlKGKcaBKRlmJk0+NKyfq2FnJs=; b=Gxw0PSDaF3TP3CDFw0jiaqugXKj3W1xmjVZXyXu1pKRlFqLJS0mMxJtgHAT1uCTADm ZC3uONH7py0dEfd89F6Xm6TY4L3n5McPOUMP3egP5xJ82CpdjSRBkoBuptX3e+XRF3na iQMJ+qE2dJLcizmpSGvJqaqOjYFL1wuj5SFa+5j5gpDIFhSpZxIi+gIVuNq7vY/b5sD0 ryHKaPcC7PObL0OpLTUx/PW++zWBQxiRvkWWzeqWo+aSV/O6Dklg9siYIltIPcMYncsM NC0JHBwq9ZvOdUSYFmX3SQp/w3uVV0vraLPwIB3x2sY4HC5Kq+yI3WbJkb4qv2k1nvje vhDA==
X-Gm-Message-State: AKS2vOx2Edt+kgFCL5Tx8pPLmJGv4X15e5G/qvameQbv8iZLSWSA5TIj p/68M+kT7MHVKJMRc9uOi607DlqSlTT0
X-Received: by 10.129.43.68 with SMTP id r65mr2544833ywr.24.1497351723191; Tue, 13 Jun 2017 04:02:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.144 with HTTP; Tue, 13 Jun 2017 04:01:22 -0700 (PDT)
In-Reply-To: <20170613105409.GB8983@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBPkRhjLNT2QKO+DgfjE8-e-KrJ5XOLbA9bR24R1Fd96MQ@mail.gmail.com> <20170613105409.GB8983@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 13 Jun 2017 12:01:22 +0100
Message-ID: <CABcZeBMUG91cNm+5_bsjUkb-+yFeS2eboYD_EbH=x5toSSgBpQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1141e79890bd3d0551d55df8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/o-w7T3vbPZdiZLzStDQ6sQU28X8>
Subject: Re: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 11:04:37 -0000
On Tue, Jun 13, 2017 at 11:54 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Tue, Jun 13, 2017 at 09:28:49AM +0100, Eric Rescorla wrote: > > The current text says: > > > > 0-RTT data has very different security properties from data > > transmitted after a completed handshake: it can be replayed. > > Implementations SHOULD provide different functions for reading and > > writing 0-RTT data and data transmitted after the handshake, and > > SHOULD NOT automatically resend 0-RTT data if it is rejected by the > > server. > > > > I think the second piece of guidance (about automatic re-send) is still > > good but it seems like implementations are mostly converging on a single > > API. Of the implementations I know, NSS, BoringSSL (I think), and Mint > have > > a single API and OpenSSL's use of two APIs is an outlier. I don't think > > it's helpful to have a SHOULD that a lot of people violate, especially > when > > this also indicates we don't have consensus on this SHOULD. > > > > I propose we remove this recommendation in favor of one which simply says > > that implementations should need applications to opt-in to 0-RTT. That > > would allow implementations to have either API. > > I think it is VERY bad idea for TLS client library to do 0-RTT without > application explicitly opting in to that (e.g., via setting a special > setting, or using API call sequences that didn't work at all for > n-RTT). > I agree with this. I am suggesting that a setting rather than a separate API is a reasonable approach. -Ekr > > Consider for example that: > > - The application starts by sending a POST request. > - The application starts by sending a GET to confidential URL. > > Both cases lead to things possibly going very badly wrong if TLS > library silently does 0-RTT. And both are kind of requests that might > be written before TLS connection is fuly up. > > And if ALPN is included, there is always a possibility that the > initial guess on protocol was wrong, and the data can't just be > autoretransmitted, but TLS stack has to ask the application to > roll back the state. > > > The server side does not have as obvious failure modes if 0-RTT is > enabled without application knowledge, but that does not mean such > failure modes are not out there. > > > > -Ilari >
- [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Salz, Rich
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Steven Valdez
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Eric Rescorla
- Re: [TLS] Separate APIs for 0-RTT Loganaden Velvindron
- Re: [TLS] Separate APIs for 0-RTT Benjamin Beurdouche
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Ilari Liusvaara
- Re: [TLS] Separate APIs for 0-RTT Petr Špaček
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Andrei Popov
- Re: [TLS] Separate APIs for 0-RTT Brian Sniffen
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Colm MacCárthaigh
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT David Benjamin
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Martin Thomson
- Re: [TLS] Separate APIs for 0-RTT Timothy Jackson
- Re: [TLS] Separate APIs for 0-RTT Benjamin Kaduk
- Re: [TLS] Separate APIs for 0-RTT Yoav Nir