IETF Logo Mail Archive

Re: [TLS] Connection ID Draft

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 13 October 2017 15:41 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55898126E64 for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 08:41:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.4
X-Spam-Level:
X-Spam-Status: No, score=-5.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1wNJm91uy-y for <tls@ietfa.amsl.com>; Fri, 13 Oct 2017 08:41:00 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4900A126B71 for <tls@ietf.org>; Fri, 13 Oct 2017 08:41:00 -0700 (PDT)
Received: from [192.168.91.203] ([80.92.116.99]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LnkiR-1dcBqx0hnL-00hvaN; Fri, 13 Oct 2017 17:40:48 +0200
To: yinxinxing <yinxinxing@huawei.com>, Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
References: <DBDF9AE44733284D808F0E585E1919022C7A77E2@dggemi508-mbx.china.huawei.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <9800fbbc-f23f-139d-b5a9-ef6515123f73@gmx.net>
Date: Fri, 13 Oct 2017 17:40:46 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <DBDF9AE44733284D808F0E585E1919022C7A77E2@dggemi508-mbx.china.huawei.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:V/REjixbURmfn7tIe4XeoWH/GYMK2TKIqvX5jpoYGVrDigUDbH9 v3uYvX/cV/i1yYt4TyHz8eZNJYBQep+389U7icuuHXeM5eChduqUbddZzEF8JjCTYgsI45F WJ/XiPsVka8ISHsM+5nENI2BBcjjefTs6IWWuHPH6ikbEodIyggur/wJldSyOBtJWmfQPgC MPXy6pactgfv9qGxM2mVg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:bA5C/zqWaC0=:Iri4QCgh6oTGOkUSJ5Apca QccYUwyrU3mzkSS4p8r2G4zliweL/XCrUhBPDbPbgoztXkZQXGyBuTXhGFA2i2+OWqnXPop2p BRrmj1H9sdMDDPUPw2DqTPIsUxvlxK9BRMNwJWCiV3eZxyYprPEnfhTc+sU4Pjp8VZfLMY8Bi AprWKigp1vfQF2reetPARg8BAv1T7zlrKhXF0AfvwmxtJeMhy7/ZQzzOqE7kWKRE5wLaphiNR uBp6efQTn2qrtmkuf+A7KKmP/JHX1LnEQ9h7d+c2ihVbQCE10yzfXJiaJTVCDbruFK7lgzLrF YbWAhicCLJTH4L0VJiXDLwRh8JCkeQyebvN3tDCKgDpZ3AwQnp90nvdNElM85xIS7eiw6vba8 cTTAN5RgnZysdgoXPvIvxvpUVZ+Mu9QX+XvRrvqs8iRyTTaozuvYoV1hTdirN9VNQDdRHbrQg Ij/ZeyC5GjDQQcrIzCLwDSqWogQO+I1lXuj5Bo+M1W2diRbRh3n6ENygXJHBtNwPspOcrXGp5 IDg4oJZ3bmDzQoHqxS4qNFAlp28nubDfXI8RpNPFhVxSTe7NV2Fe9AW+YkvwU8LVJ2IpF3hXQ onGjvbl6a5b2lNtd6jAr+ewSmeEOTrrsbXEamqWoB0Nce+8p1AS8zDI656w+UUqnJFoNqGlw5 9s0a0ixk1nsTZIk5GdCvVN5jD3TBYWqdXAmF3EftNoHPXL8xlK+D/lvu0l+MToT7Hognc5E/N H8y31wtk/c/WZUfsd+eWFOxOvbPUCheu2NjtBbQbXUNcw/DaOTqCcLvkDge1eITEQcIYCHP/3 t9DT7WZ81LrgMtxbPp1QbO8H2i+/yF57JdRRiHlc9esDhZfA3M=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/r3YPWoPPj8rtKU9S5Ah1iKxyV4Q>
Subject: Re: [TLS] Connection ID Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 15:41:03 -0000

I would like to focus on one of the points raised below:
> 3.       We have a practical usecase in IoT. The IOT device, like
> intelligent water meter, sends one message per day, and goes to sleep.
> It wakes up in the second day and sends a message and then goes to
> sleep. If it always (or for a long time) use the same CID, there may be
> a risk of tracing IOT device or the owner of this device. Therefore, it
> is important to recommend user to update CID once it finishes sending
> message. For the CID in DTLS1.2, this becomes worse.


The user is typically not doing anything.


Without this CID extension you would send a full exchange or use session
resumption. This would allow someone in the middle to see the handshake.
In DTLS/TLS 1.2 this would reveal the client certificate.

With DTLS 1.3 and this extension you would hide the certificate and you
could echange new CIDs and switch between them every day. The source IP
address will most likely still reveal the subscriber (if you consider
some cooperation with the ISP).

So, you actually get pretty good privacy properties with DTLS 1.3 & CID
(unless some of the data center folks destroy it again with their fancy
extensions). With DTLS 1.2 there is only a performance benefit but the
privacy properties remain the same IMHO.

Ciao
Hannes


> 
>  
> 
> Regards,
> 
> Yin Xinxing
> 
>  
> 
> *发件人:*TLS [mailto:tls-bounces@ietf.org] *代表 *Eric Rescorla
> *发送时间:*2017年10月13日7:14
> *收件人:*tls@ietf.org
> *主题:*[TLS] Connection ID Draft
> 
>  
> 
> Hi folks,
> 
>  
> 
> I have just posted a first cut at a connection ID draft.
> 
> https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00
> 
>  
> 
> Comments welcome.
> 
>  
> 
> -Ekr
> 
>  
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email