Re: [TLS] Comments on the session ticket format in TLS 1.3
David Benjamin <davidben@chromium.org> Mon, 13 March 2017 01:21 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B77161293EE for <tls@ietfa.amsl.com>; Sun, 12 Mar 2017 18:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLl7uZMwgJkr for <tls@ietfa.amsl.com>; Sun, 12 Mar 2017 18:21:33 -0700 (PDT)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DEFC127A91 for <TLS@ietf.org>; Sun, 12 Mar 2017 18:21:33 -0700 (PDT)
Received: by mail-pg0-x233.google.com with SMTP id b129so57670759pgc.2 for <TLS@ietf.org>; Sun, 12 Mar 2017 18:21:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uejsq0Ye0u3f+PiSlkhUUabgjutfYLUyCwPHaUKwNB8=; b=MwVrtiOSJKXLA3pHWuMtHFOG1m1/TviNmNa7fdAHXnNUmhSYFMxPjEWqj/+mOK+d66 aK27lvr25YIpYrrTvoTyLc0C2T8OguKadNsq0oqHdoFD2fRkwIXJbtUkMlQu8Vvc1DT2 xKwczgByVxtluutrgHKQIGoPQeriuyt7tC1CY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uejsq0Ye0u3f+PiSlkhUUabgjutfYLUyCwPHaUKwNB8=; b=DROrjn9AW7K4uxZQCi2bkC2Hf9+WSfVmJjRraGtRwl8Z88e352Z8eGsTKI8OB9S/1y eEwDyLMjiQamsX4COHNpJTJs9sRjNoPKU3ljkyAMCR7qQmUYrjLzJdtazlOecjVF6cfw 0sdLjmmfYf1r92AlBs/0RnFtIgFXD53pCbns3Gl9FN3rb0e7X3NNlRn6D6YZ+tkbE0gQ 68+hqteUh67PDd2MQSST2w87Q6+jbous+w9yfxyCz1dIGohetUVjAOtDpRfDaGUbR84t pWbbjvmUU9qovtzSwYdvyWp1zd4y49iYCc1+DV/nw34IRsCVGuKs1DhXiXjWEzMhYHwK onww==
X-Gm-Message-State: AMke39lR5tVY9W1bLJwB+fckq9gae19nFM7nop/KQqJyF7fcTD8BB3TihP2k7dornpSk7S477ygoHJTDyWLKGaPR
X-Received: by 10.84.210.167 with SMTP id a36mr44181875pli.40.1489368092593; Sun, 12 Mar 2017 18:21:32 -0700 (PDT)
MIME-Version: 1.0
References: <CANHgQ8EEJeTVvyQH8SosO4M3Ecz2=ZE-UPGndcu=XfB1f+1Zgg@mail.gmail.com> <CAFewVt558LB_QTb56i2hQA+pY5HEM7LCLuzEOsMAhq23sa+EMg@mail.gmail.com> <CABkgnnW7fH9D6G=8+dEb4dTDheh2yZkkBickKZhzVzYqXr-hYQ@mail.gmail.com>
In-Reply-To: <CABkgnnW7fH9D6G=8+dEb4dTDheh2yZkkBickKZhzVzYqXr-hYQ@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 13 Mar 2017 01:21:21 +0000
Message-ID: <CAF8qwaDm4BdpKWBYZhr5_yuK_Jh4ynniQrEZ=xn8jqEfNSppow@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>, Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary="94eb2c1aaab8199e30054a928873"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sD52MU2XMxj2jx5rIe9IsUvmZmw>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Comments on the session ticket format in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 01:21:34 -0000
On Sun, Mar 12, 2017 at 8:09 PM Martin Thomson <martin.thomson@gmail.com> wrote: > On 13 March 2017 at 10:55, Brian Smith <brian@briansmith.org> wrote: > >> So, I'd prefer to bring session IDs back, and > >> to arrange things so that they're always server-generated. > > > > Even in earlier versions, session IDs were not required with > > resumption using tickets. The server sends an empty session ID and the > > client may (should, IMO) send an empty session ID in the resumption > > hello. > > This is true, but I believe that there are compatibility reasons to > send the session ID anyway. I don't know the details, but it probably > comes down to the load balancing thing that Ivan is asking about. > > All told, this was a mess in previous versions. Now we at least have > a hope of maintaining unlinkability. > Clients send session IDs in TLS 1.2 because that is how the server indicates a resumption. It echoes the client-sent ID back. Otherwise that value has no meaning. (Go's implementation will just pick a random value each time. OpenSSL derivatives hash the ticket.) RFC 5077 does allow a client to leave it empty, but this is a mistake and should not have been in the specification. That means a client must peek ahead for ChangeCipherSpec to determine resumption. This is a huge source of complexity (handshake/CCS synchronization is tricky as it is) and does not work with DTLS. David
- [TLS] Comments on the session ticket format in TL… Ivan Ristic
- Re: [TLS] Comments on the session ticket format i… Martin Thomson
- Re: [TLS] Comments on the session ticket format i… Ivan Ristic
- Re: [TLS] Comments on the session ticket format i… Viktor Dukhovni
- Re: [TLS] Comments on the session ticket format i… Brian Smith
- Re: [TLS] Comments on the session ticket format i… Martin Thomson
- Re: [TLS] Comments on the session ticket format i… Eric Rescorla
- Re: [TLS] Comments on the session ticket format i… David Benjamin