Re: [TLS] Call for adoption of draft-vvv-tls-cross-sni-resumption

"Salz, Rich" <rsalz@akamai.com> Thu, 03 December 2020 20:46 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D56203A0D81 for <tls@ietfa.amsl.com>; Thu, 3 Dec 2020 12:46:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYlG5ptGtBDS for <tls@ietfa.amsl.com>; Thu, 3 Dec 2020 12:46:17 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [67.231.149.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DD103A0CFA for <tls@ietf.org>; Thu, 3 Dec 2020 12:46:09 -0800 (PST)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0B3KYugF025481; Thu, 3 Dec 2020 20:44:08 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=7J6kw7pVfnZIOCLeYNt5vpL5NXM/COSvz9ewQ4dPSiY=; b=Wb81Y9XwhYQm69NF9RYiKBjsUkCXt3WluZbklj8MYRndj2FKBfHQtJqcCxQQw+C/SYIz q7fdXJSlm/cngJGHRyZbB/VK2IJV/GPUqNPqNZO12Q+vrcGJuzWqVNXUktpiKyTdA6AF PyrLNhG5qva1jUlN4pA1p0ieXR+tmrFN1aNRXB9YfWH1Pc7eP7p7aYT9u1vK8SlaQ7Cl hJXXjTJc8I/MmxSvbqPxQV/G4USN/jtncN2LN+pGj1d4r2e89wA6kAtWzEzI2adn+GWU BY5te3BIB6EmSclFGwqnkKuP4Ub1y0eELtxWNrzHzv41K4D8HC5BfgTT3a/d7mMDxS07 dg==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 355v3tqps9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 03 Dec 2020 20:44:08 +0000
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 0B3KZUko026775; Thu, 3 Dec 2020 12:44:06 -0800
Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint5.akamai.com with ESMTP id 353ndeb2q2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 03 Dec 2020 12:44:06 -0800
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 3 Dec 2020 15:44:06 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 3 Dec 2020 15:44:06 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.008; Thu, 3 Dec 2020 15:44:05 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: David Benjamin <davidben@chromium.org>, Eric Rescorla <ekr@rtfm.com>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Call for adoption of draft-vvv-tls-cross-sni-resumption
Thread-Index: AQHWx5Dvcq6/z+n+e0y5xPa8QQvd2aniUzCAgAOx1wCAABAMAP//xd+A
Date: Thu, 3 Dec 2020 20:44:05 +0000
Message-ID: <22DD5290-9978-4006-A192-EA4927F4FBAE@akamai.com>
References: <CAOgPGoATi+jFy53x5W4T6ai=xjH4VufhWaoABT5g_w=_72N8HA@mail.gmail.com> <CAOgPGoDJP8RNxjyrYWvPzvWOrkmDs9ssqFxvF1+mqtWg9BMF=w@mail.gmail.com> <24904640-192F-4557-98B6-094455D88CF5@akamai.com> <CABcZeBOvCXKfu=ENLfPyutgbDem7KuXBQPrju-B9_YuogFEXBg@mail.gmail.com> <CAF8qwaCn+8b2K=R5AvjrELeRvFCb82QBOCvPfOMtDgsao0nJOw@mail.gmail.com>
In-Reply-To: <CAF8qwaCn+8b2K=R5AvjrELeRvFCb82QBOCvPfOMtDgsao0nJOw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.43.20110804
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_22DD529099784006A192EA4927F4FBAEakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-03_12:2020-12-03, 2020-12-03 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 bulkscore=0 suspectscore=0 mlxscore=0 spamscore=0 phishscore=0 malwarescore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012030120
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-03_12:2020-12-03, 2020-12-03 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 adultscore=0 spamscore=0 suspectscore=0 impostorscore=0 bulkscore=0 priorityscore=1501 phishscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012030120
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.60) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint5
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u4HRYXEcGn6m06G6Zm7wdT2cvSA>
Subject: Re: [TLS] Call for adoption of draft-vvv-tls-cross-sni-resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 20:46:26 -0000

  *    I'm not sure if it's ever been written down anywhere (probably should be...), but I think resumption is pretty much universally interpreted as authenticating as the identities presented over the original connection, client and server. That means that, independent of this draft, the client should only offer a session if it is okay with both accepting the original server identity, and presenting the original client identity. (Analogously, HTTP connection reuse reuses TLS handshake-level decisions, so you have to be okay with that decision to reuse the connection.)

Totally agree.  @ekr, you want to make this change in your BIS draft?