Re: [TLS] Backwards-compatibility of 0-RTT data
Eric Rescorla <ekr@rtfm.com> Wed, 27 January 2016 02:11 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2E411B33A2 for <tls@ietfa.amsl.com>; Tue, 26 Jan 2016 18:11:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcVw3974VsXP for <tls@ietfa.amsl.com>; Tue, 26 Jan 2016 18:11:49 -0800 (PST)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB88A1B33A0 for <tls@ietf.org>; Tue, 26 Jan 2016 18:11:48 -0800 (PST)
Received: by mail-yk0-x22f.google.com with SMTP id v14so224555581ykd.3 for <tls@ietf.org>; Tue, 26 Jan 2016 18:11:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=n/fMokQH0tiFmpyMTrg1C2SrJ5GJALgzgYKwtem4Xx0=; b=ePIm8ATb/hqh5ilxSpmhIcVXYY3UJ5x6Ks/GwSqkfD7ENeFZbMzS8YyM7C/+okMWqp Gf08SGcVmJOqgGssZQmtxS6VGIP1z3nyl9uA+SypSoZlxS+9RoS2rB5kFzc9dlRUzg0Q 8sqrsneIkGx8e2QdrI/TkEjspbs53a6JEUwLEkUk8fNYak+cTbiikfQ4Cv1HgQw6s6hP /d4ZhlZcV4qEqR//REY+Pcmng8gd7Da0EssuXid9VaisejVmvIeYS82a3KB/e0TU7Iql w8KYejPJmiy1xWlI4O6zVvUGCNSDDB4HozEKI+ty5Ky0to8AHpCjZIhlwXtQHf2OVGEi DG4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=n/fMokQH0tiFmpyMTrg1C2SrJ5GJALgzgYKwtem4Xx0=; b=gAmKCZSDeKuDjs1obMNnWu5R8G/U/vFa/v4NVsaYXMOO1jpZENcG1bz6gScKOSpeM5 E21MfJoAmKX4bA8Rg6zGu2yWXjXmJ177BbXTLrPXAIUgx3GBKkVjoshOLjhG8Rq18EUB bbuFs9boOUX7Db2MRx8rD+q4VWhp69UAWEisslEG5PKymZorRge4uc0cMcvdhd8xsHu4 GtYr2kaHvvoaZ7VyCojnW/RG5s3yrUdmzX7IcPjTFXlf+ySFlO82KCi1RATemOTiiYTG a4CG3Wnsvr3ZgiA8DDFEyT8S9K7uciQCL7RPLhTOfv6jpsY+RQ3/Y5MJPeXY+V8BxrNF J0KQ==
X-Gm-Message-State: AG10YOTuu3c4n21WZa+2ZLjNpj2W+4X7SIrthfR+M0NgWGPLDzWk5dKIGchYvGq34vCFOL48jZLPbYJIh4Q7qg==
X-Received: by 10.129.73.17 with SMTP id w17mr14542973ywa.223.1453860708176; Tue, 26 Jan 2016 18:11:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Tue, 26 Jan 2016 18:11:08 -0800 (PST)
In-Reply-To: <CAF8qwaDTU=f6UO=NY4SeKxR+yDrrOeuLCq2UKUoU_iFhFOzGVg@mail.gmail.com>
References: <CAF8qwaDTU=f6UO=NY4SeKxR+yDrrOeuLCq2UKUoU_iFhFOzGVg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 26 Jan 2016 18:11:08 -0800
Message-ID: <CABcZeBOqtAiJ81qVgapJF26X7v1ncFpRw9b9bgA6J9QnV01h1w@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: multipart/alternative; boundary="001a114d950610836c052a47533a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rVg17mwlExcMDDE6ami4_aH_vxg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Backwards-compatibility of 0-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 02:11:50 -0000
On Tue, Jan 26, 2016 at 6:02 PM, David Benjamin <davidben@chromium.org> wrote: > Instead of putting 0-RTT data in a ClientHello extension, the current > draft has the client send extra records in the first flight, right? (I see > an early_data extension, but it seems only be an indicator. There's also > mention of requiring trial decryption which only makes sense if it were > appended.) Was there a reason not to put it into an extension? It's uglier, > but the current scheme has compatibility risks and may force clients into a > fallback dance. > Yes, it means you can't stream 0-RTT data because you have to know it all in advance. We had a number of requests for this. Although a TLS 1.3 client won't make 0-RTT handshakes to a service until > it's managed to speak TLS 1.3 to it once, services aren't made of one > machine. Many services span multiple machines, changes are deployed > incrementally, etc. Even single-machine services may need to roll back a > change. This kind of statefulness means that one cannot enable 0-RTT on > *any* machine until *all* machines in the fleet have enabled TLS 1.3. And > TLS 1.3 may not be rolled back once 0-RTT is enabled (at least not until > all server configs have expired). > I don't think this is entirely true: Web clients already fall back on hard failures. But yes, thats the general design. I would not expect all deployments to get this right. Large companies with > TLS experts might, but most people will idly take updates from their > operating system with (hopefully!) TLS 1.3 and 0-RTT enabled by default. > Well, I think we're generally encouraging people to have to explicitly enable 0-RTT. -Ekr > They won't realize fleets must "set" at TLS 1.3 without 0-RTT before > enabling TLS 1.3 with 0-RTT. > > This is the same flavor of problems in session resumption that motivated > https://github.com/tlswg/tls13-spec/issues/136. That bug wasn't > hypothetical. At the time I filed that issue, https://www.debian.org was > two wildly different servers. One spoke up to TLS 1.0 and the other up to > TLS 1.2. OpenSSL on the client has some bugs around resumption which gives > similar version stickiness effects. Until I reworked the version > negotiation code, Chrome + BoringSSL would fail to connect sometimes. > > Having the 0-RTT data delimited in the ClientHello should hopefully also > avoid the trial decryption step on 0-RTT miss which seems kind of silly. > > David > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Backwards-compatibility of 0-RTT data David Benjamin
- Re: [TLS] Backwards-compatibility of 0-RTT data Eric Rescorla
- Re: [TLS] Backwards-compatibility of 0-RTT data Martin Thomson
- Re: [TLS] Backwards-compatibility of 0-RTT data David Benjamin