Re: [TLS] Proposed text for removing renegotiation

Brian Smith <brian@briansmith.org> Wed, 28 May 2014 17:35 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A8491A0417 for <tls@ietfa.amsl.com>; Wed, 28 May 2014 10:35:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6YZ0ZuMFaB5A for <tls@ietfa.amsl.com>; Wed, 28 May 2014 10:35:28 -0700 (PDT)
Received: from mail-qg0-f44.google.com (mail-qg0-f44.google.com [209.85.192.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49E911A0A2B for <tls@ietf.org>; Wed, 28 May 2014 10:35:28 -0700 (PDT)
Received: by mail-qg0-f44.google.com with SMTP id i50so18820869qgf.3 for <tls@ietf.org>; Wed, 28 May 2014 10:35:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=B9pixl/MwEq/qpox+yY2RcKNi1djhOAiTa0r1l1rXzQ=; b=QB+D4XgZfZTFU3Zu7poM25vJk6Dyv1G5tXDHXF6Mf9y+SQChiHiXZzOUTnbJhoNwyK /Lz800DSkYJ8BjFFaWYLvJZY6VbtEueSEGlKLBhiebQ30Ve0Abd76XvzZArbkA5YUptX Gg0bKysrhcqWpxp+GS2JlBRer0bAyMYqZbWVSoEHVLn4E39PsifxKtI43X7qweaCe1SG ubBIoL+BwtvX46saQRInXFcl4eOVoQ54uicCS3IGWszye5TM+qznswxhGQLc91nmCt8l 64t8+wDhLLsv8FaMVuQhPlx8kJFezutdqN4uX0pmNo2IwEGmtPgCUQ0izUJkQReeme4u mPqQ==
X-Gm-Message-State: ALoCoQl+3rWWg5I28dKR7eZvvWGDwCYAPrv1J8Ab/31glr8pPIObg20ZzOcwaH0VVRrLran362FS
MIME-Version: 1.0
X-Received: by 10.140.46.53 with SMTP id j50mr1475206qga.27.1401298524226; Wed, 28 May 2014 10:35:24 -0700 (PDT)
Received: by 10.224.201.193 with HTTP; Wed, 28 May 2014 10:35:24 -0700 (PDT)
In-Reply-To: <28421B15-8E06-4E86-AE5D-38D994ABBD45@gmail.com>
References: <CABkgnnXaLKmxXL01hQEdxHSNGt3nZQQNBLDD5H2LqBzTo3vK4g@mail.gmail.com> <CAFewVt5GCmH8wSdUYLy_Q9RNEtAggzG3_k-9E8ME-nP9jZNX3Q@mail.gmail.com> <28421B15-8E06-4E86-AE5D-38D994ABBD45@gmail.com>
Date: Wed, 28 May 2014 10:35:24 -0700
Message-ID: <CAFewVt6Y_+HKmGvCNY0WsUOgQiwhUZsDgfG=v-MfL9+PHqqiVg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=001a113a7e5cc2dcd704fa793cc1
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/qg4NQVHOwcFTOulgoW03zkCDsRg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Proposed text for removing renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2014 17:35:30 -0000

On Wed, May 28, 2014 at 3:00 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:

> On May 28, 2014, at 8:47 AM, Brian Smith <brian@briansmith.org> wrote:
>
> On Tue, May 27, 2014 at 2:39 PM, Martin Thomson <martin.thomson@gmail.com>wrote;wrote:
>
>> It's not possible to just remove renegotiation.
>>
>
> Why not? What is the motivation for keeping any form of renegotiation,
> even rekeying? It isn't clear from the public mailing list discussions what
> is motivating the rekeying feature. (Perhaps I overlooked something; if so,
> a link to the past decision on this would be appreciated.)
>
> 1. Client Authentication.
>

<snip>

> Martin has a couple of drafts for making this happen in a combination of
> HTTP authentication method (“go away and come back with a certificate”) and
> a TLS extension (“I have a certificate. Please send a CertReq”).
>

FWIW, I think the idea that Martin is pursuing is the right approach to
this issue.


> 2. Connections that carry so much traffic and last so very long that you
> really need to rekey. This was discussed at the meeting, partially on
> Jabber ([1]). It’s not that common for the web, but I’m assured that XMPP
> connections sometimes last basically forever, so they need rekeying. My
> proposal there (at 19:40) was for this use case. Martin is right that it
> adds “dead air”, but all these use cases are not that delay sensitive, and
> I think it’s worth it to get the simplified state machine.
>

As you say, these applications are not delay sensitive. Also, these
applications have to be able to recover from long-lived connections being
broken. So, for these applications, why isn't it acceptable to just close
the connection/session and open a new one?

I think it would be helpful to see some examples of real-world applications
(preferably, but not exclusively open source) that actually do currently
use renegotiation to rekey a long-lived connection.

Assuming rekeying would be an optional feature like renegotiation is, would
web browsers and/or common web servers actually implement rekeying? It
would be very tempting to leave it out to reduce the chance of
implementation mistakes if it were optional.

Cheers,
Brian