IETF Logo Mail Archive

Re: [TLS] Call for consensus: Removing 0-RTT client auth

Bill Cox <waywardgeek@google.com> Thu, 31 March 2016 17:18 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0560412D698 for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 10:18:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jD8DGGEkyW34 for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 10:17:56 -0700 (PDT)
Received: from mail-vk0-x22c.google.com (mail-vk0-x22c.google.com [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F245B12D6AC for <tls@ietf.org>; Thu, 31 Mar 2016 10:17:54 -0700 (PDT)
Received: by mail-vk0-x22c.google.com with SMTP id z68so111868822vkg.3 for <tls@ietf.org>; Thu, 31 Mar 2016 10:17:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=gy3L0z6TRKOyEZRP+Sw/UMfrUf+bwiXzQtPaAT8f4f0=; b=CvNTjw+0Wz7JcoEef5iHrb+1p/AOwS8g2zVII/towolpXL9XMEtm891ppgHXrWdNfJ Kiv+Ck9o7zRsDtJ4cCvAyzNOz6OK91Q1Smi4QfIa7KGEePUZu/Jn+/ld/ClQCo+/DJpl 4CbuMycP38CC0tztHQzjtp1+2cHChmKR29UxG1k5yIi5KpKiMyOTvH7j3wYGFa+E2f/N DAeCVjia6BL44R60WYaFNn/+xLAZCCYsPPnGR6SIzQmy2u7kGVwe7vXo1crqaxcetxMx 4HyaUpCHR59/jhpaA9mzIa2Zx6jhZzQXNsytwbYxx7XoxNxP7Qk69uxRhrlb/9pPNari Ju6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=gy3L0z6TRKOyEZRP+Sw/UMfrUf+bwiXzQtPaAT8f4f0=; b=bOwPo2TgADBo4aYWwyRJe+6UiaGiqXqEDz8QEKEH14uWxm+vfvN5jYzmaoKCJgk+Hx T5eYklORj1yvxP5M5JR3zj3Wmn4tp6ApFofpMcV0bVl5Qgos9wWdDz1/c6fKN1HuxbKf 3Ysp6YqbwWFaV+bZr/6r6s7a1VEsQWjoj0VqvFpLNyU625MvA/oQ1PcUTeJT/m9KDacS qxtq4rrxOj/Drx8U8p1iaT42LeW0G23fwkbn8XIDscdAz3XO8NP12lCeAOtx+e2xvMIU /9vDbmmngLySFuOgc/dCNZaJMpRLGdpq/iZENjVlqWhkeVww1c1PZyyd+W7jIHM2abcT PHLw==
X-Gm-Message-State: AD7BkJKmHrgoNFbFVAlkYQr8DhJQ+TBSbtJ4YV8ooqyHZpgMc2cvi/v7pb23Dl6iXKsE9lG4ylc8s6HcPUILz85B
MIME-Version: 1.0
X-Received: by 10.31.150.215 with SMTP id y206mr237286vkd.63.1459444673895; Thu, 31 Mar 2016 10:17:53 -0700 (PDT)
Received: by 10.31.179.1 with HTTP; Thu, 31 Mar 2016 10:17:53 -0700 (PDT)
In-Reply-To: <56FD5978.3040401@akamai.com>
References: <AABACDA8-6A12-4023-A971-1254CED4893F@sn3rd.com> <56FD154D.1030300@gmx.net> <CAH9QtQGBrvbPp4V8SMwK1WuUQpJKMo-1z8bs6rCO_d-w0JJE8A@mail.gmail.com> <56FD5978.3040401@akamai.com>
Date: Thu, 31 Mar 2016 10:17:53 -0700
Message-ID: <CAH9QtQEL7H9qs0ZcgHBEwamc9kMZ_EaWv7jz67_x2NT5EzfMCg@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Content-Type: multipart/alternative; boundary="001a1140fdd85c07c3052f5b717b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/q5Mn66tSNWVF_VHcfV5pn28H1CM>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing 0-RTT client auth
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 17:18:00 -0000

On Thu, Mar 31, 2016 at 10:08 AM, Benjamin Kaduk <bkaduk@akamai.com> wrote:

> On 03/31/2016 12:02 PM, Bill Cox wrote:
>
> On Thu, Mar 31, 2016 at 5:17 AM, Hannes Tschofenig <
> <hannes.tschofenig@gmx.net>hannes.tschofenig@gmx.net> wrote:
>
>> Hi Sean,
>>
>> we at ARM would find it somewhat unfortunate to remove the client
>> authentication feature from the 0-RTT exchange since this is one of the
>> features that could speed up the exchange quite significantly and would
>> make a big difference compared to TLS 1.2.
>>
>
> Client certs can still be used with PSK 0-RTT, but only on the initial
> 1-RTT handshake.  it is up to the client to ensure that the security of the
> resumption master secret (RMS) is solid enough to warrant doing 0-RTT
> session resumption without re-verification of the client cert.
>
>
> That seems to rule out most corporate uses of client certs [for 0-RTT
> client authentication], since I doubt anyone will be interested in trusting
> that the client does so properly.
>
> -Ben
>

You would think so, but in TLS 1.2, the client only proves possession of
the certificate key on the initial connection, and not again on resumption,
so corporations are already trusting the client to maintain the security of
their resumption tickets and cache.  This seem like a significant security
issue that is not well known.

Bill

v2.23.0 | Report a Bug | By Email