Re: [TLS] Session resumption ticket reuse considered harmful
Nico Williams <nico@cryptonector.com> Thu, 05 March 2020 22:12 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 176333A0D1E for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 14:12:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLad_cqSV6-8 for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 14:12:54 -0800 (PST)
Received: from dragonfly.birch.relay.mailchannels.net (dragonfly.birch.relay.mailchannels.net [23.83.209.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDA003A0D1D for <tls@ietf.org>; Thu, 5 Mar 2020 14:12:53 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4BD076015F5; Thu, 5 Mar 2020 22:12:53 +0000 (UTC)
Received: from pdx1-sub0-mail-a85.g.dreamhost.com (100-96-219-30.trex.outbound.svc.cluster.local [100.96.219.30]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A5FA4601636; Thu, 5 Mar 2020 22:12:52 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a85.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.5); Thu, 05 Mar 2020 22:12:53 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Thoughtful-Bottle: 61cec41b15f18e7a_1583446372982_94322306
X-MC-Loop-Signature: 1583446372982:2349358539
X-MC-Ingress-Time: 1583446372982
Received: from pdx1-sub0-mail-a85.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a85.g.dreamhost.com (Postfix) with ESMTP id 6BA1A80A4B; Thu, 5 Mar 2020 14:12:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=vlj+RtOtzI4Toz g6ru13GGM9fXg=; b=TO5yilwbYGicLh9sDDvUxQyq7SD8nh1hhkmStQBYVQpGph GlOBCBCkOOf0V5VdTcm/e9xWO41w5f8oWznMAf18Pnd1tX4dlEFUox2zG0CqcIcz uRGtSOfTt7Q7rPH2FMcSRsz7KhSpl7QHhrl9ykKWJ8WwzK2AvQjlWzIQVR2BU=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a85.g.dreamhost.com (Postfix) with ESMTPSA id 6EBBB80A51; Thu, 5 Mar 2020 14:12:47 -0800 (PST)
Date: Thu, 05 Mar 2020 16:12:45 -0600
X-DH-BACKEND: pdx1-sub0-mail-a85
From: Nico Williams <nico@cryptonector.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20200305221244.GS18021@localhost>
References: <20200305205524.GR18021@localhost> <78240ee1-20ea-45b2-bd0e-e967077c509e@www.fastmail.com> <6A4F6E0C-A1A5-44E8-8045-6D11CDBE939B@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6A4F6E0C-A1A5-44E8-8045-6D11CDBE939B@akamai.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedruddutddgudeivdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uT8Ti-9gnrcOY8YIrmFyXmCJyTY>
Subject: Re: [TLS] Session resumption ticket reuse considered harmful
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 22:12:57 -0000
On Thu, Mar 05, 2020 at 09:40:24PM +0000, Salz, Rich wrote: > I think several participants in these threads are taking SHOULD NOT > re-use as a MUST NOT. Servers in datacenters seem to fall outside > that concern, no? Indeed, RFC2119 defines SHOULD NOT: 4. SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label. And SMTP and your use case have "valid reasons" because they are "in particular circumstances when the particular behavior is acceptable or even useful" and "the full implications" _are_ "understood" and "the case" has been "carefully weighed". Even if RFC8446 said MUST NOT, we could update it, but as it is we don't need to because it does say SHOULD NOT: C.4. Client Tracking Prevention Clients SHOULD NOT reuse a ticket for multiple connections. Reuse of a ticket allows passive observers to correlate different connections. Servers that issue tickets SHOULD offer at least as many tickets as the number of connections that a client might use; for example, a web browser using HTTP/1.1 [RFC7230] might open six connections to a server. Servers SHOULD issue new tickets with every connection. This ensures that clients are always able to use a new ticket when creating a new connection. and that makes very clear that the SHOULD NOT is specifically about "Client Tracking". And it follows that if you have an application that doesn't find have a client tracking concern, then this SHOULD NOT should be inapplicable. The onus might be on us to demonstrate that there are use cases where client tracking is a non-issue. But it should be quite clear that there are cases where client tracking is indeed a non-issue. Now, maybe one might want to say that this is like PFS: we want to always require PFS (and we do!), so we should always require session ticket non-reuse. That would require an update to RFC8446. Note that the issues with RSA key transport and the client tracking issues are vastly different, and that's almost certainly why PFS became a hard requirement while ticket non-reuse was only made a SHOULD NOT. Nico --
- [TLS] Session resumption ticket reuse considered … Nico Williams
- Re: [TLS] Session resumption ticket reuse conside… Martin Thomson
- Re: [TLS] Session resumption ticket reuse conside… Salz, Rich
- Re: [TLS] Session resumption ticket reuse conside… Nico Williams
- Re: [TLS] Session resumption ticket reuse conside… Watson Ladd
- Re: [TLS] Session resumption ticket reuse conside… Nico Williams
- Re: [TLS] Session resumption ticket reuse conside… Nico Williams
- Re: [TLS] Session resumption ticket reuse conside… Viktor Dukhovni
- Re: [TLS] Session resumption ticket reuse conside… Nico Williams
- Re: [TLS] Session resumption ticket reuse conside… Watson Ladd
- Re: [TLS] Session resumption ticket reuse conside… Salz, Rich
- Re: [TLS] Session resumption ticket reuse conside… Nico Williams