IETF Logo Mail Archive

Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?

Eric Rescorla <ekr@rtfm.com> Fri, 19 February 2016 22:25 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3AE71B3547 for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 14:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7584bk9tX9Am for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 14:25:05 -0800 (PST)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63C3D1B3550 for <tls@ietf.org>; Fri, 19 Feb 2016 14:25:05 -0800 (PST)
Received: by mail-yw0-x22e.google.com with SMTP id g127so78862243ywf.2 for <tls@ietf.org>; Fri, 19 Feb 2016 14:25:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=AdUtZBMdnKQc40nw/nrL6P4V8OjlcDuEp7VaM2iBdhs=; b=tvaZQmmnpcxa7hx1WkbE4AjdyEyduQRm08uZlDAEaZyGg4hhHGF+RURRrbVYs+Cmz1 xmsvqvWadKuWU7vHVQQJTMhxyT3U0kE0cJyv9XVH9h3pg9g9VBD6zWYtgl93+tREnnOM wx50YdNMLjI9hZxBgcawqxyRfdTPSp9GSUH/vIKD6wzp66svJE20y1Ax+ijLWsuJd2SL WO31wWdBXfW7jt0Ypub8t2WumZPaWC+Z21K1MALGnt9vmIJBGkuxLGpnafEU90sqMRRk tHEKwtzMKq/hbg0gNSGVFFjsUgNpNQoULoPNJqr2xeP6JEckuvQftqh0/dDThs3Osuil /m4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=AdUtZBMdnKQc40nw/nrL6P4V8OjlcDuEp7VaM2iBdhs=; b=XHFv+HkYXh0fWin5q5Zjzf8tkGgbZLLrIK17NHRMqPdTqDXwfy92oSFfFBAoQHOftF 0atcDX23x6BD76J8jmIlOQWx4NCB+AGpc9VDEUmylXay/2o9Zr2qdkzbQc4Z5LfZS8iz 93KhwiSmdvb/RPmzvD2YcbUUychc+nBSN9pKXmnN+8CtOjktATUP2k29ajm94zyfnI8Y l8H5ONwa3xKMp34x7i++/ShHJ/zsi7sjsBK61pMVpE2Td5TM2b38u32HY0EgZ3TLBci+ 7GPElLCWiVOsUS5pLF46eQ/vf0yf7mOzv7EP0m++3PhkeNAyoRc90OD5Ci1uwVKw14Fa 4sgA==
X-Gm-Message-State: AG10YORg8qrqe9cFcNC0p4D4JPqu3p7isJB53zqJKHCNlqC02HJVPXz2yfwPLqaGITYV+KScjSjc7eDeBSb5WA==
X-Received: by 10.129.79.209 with SMTP id d200mr8045923ywb.115.1455920704710; Fri, 19 Feb 2016 14:25:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Fri, 19 Feb 2016 14:24:25 -0800 (PST)
In-Reply-To: <201602191708.20869.davemgarrett@gmail.com>
References: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com> <201602190044.23065.davemgarrett@gmail.com> <CAH9QtQGL4WuW4yrcxsE2R2Nv7h5jCzWySpP7xTD9xi4Y=bNKVA@mail.gmail.com> <201602191708.20869.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 19 Feb 2016 15:24:25 -0700
Message-ID: <CABcZeBNwaLUgDoZZuk9ZQR9bOU2t-0DvC-jRoyMuzCuKmJ+yiw@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="001a114bbc966d1b98052c26f449"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/speQhh4wSdZW1W00uZbfLm8bJpM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 22:25:07 -0000

On Fri, Feb 19, 2016 at 3:08 PM, Dave Garrett <davemgarrett@gmail.com>
wrote:

> On Friday, February 19, 2016 12:57:04 am Bill Cox wrote:
> > Having two different modes to achieve basically the same
> > thing in TLS 1.3 is a bad idea.
>
> On Friday, February 19, 2016 10:01:31 am Salz, Rich wrote:
> > I greatly prefer one way to do things.
>
> I do not fundamentally disagree. I would support dropping PSK resumption
> in favor of using only DHE 0RTT for resumption.
>

This would represent a major performance regression from TLS 1.2
and therefore I do not believe is practical.


With PSK resumption, as far as I know, the issue of what cipher suites to
> offer & use has not been settled, or at least written down in the spec. Not
> having to use all of the PSK suites (or non-PSK suites but actually using
> PSK, which could be confusing) and the PSK extension for resumption, and
> instead using some session ID and DHE 0RTT would be simpler and not loose
> capability.
>

I'm fairly far into a PSK-resumption implementation and I don't believe
that that is going
to be correct. I do agree that some details need to be written down, but I
don't expect
them to be that hard.


I think that requiring PSK for 0RTT would significantly reduce the
> availability of actually using 0RTT, whilst providing no way to improve the
> situation over the long term.


My impression is exactly the opposite. All the infrastructure to
PSK-resumption and
hence PSK-0RTT is already in place for TLS 1.2. And of course PSK-resumption
is also much faster.



It would mean that TLS only has 0RTT resumption and not actually have any
> 0RTT sessions.


Why do you think that this makes a material difference?

-Ekr

v2.23.0 | Report a Bug | By Email