Re: [TLS] Replacing HelloRetryRequest in TLS 1.3?
Eric Rescorla <ekr@rtfm.com> Thu, 26 November 2015 23:16 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F6B51B2C62 for <tls@ietfa.amsl.com>; Thu, 26 Nov 2015 15:16:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0otP72j85Oow for <tls@ietfa.amsl.com>; Thu, 26 Nov 2015 15:16:06 -0800 (PST)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C89191B2BBC for <tls@ietf.org>; Thu, 26 Nov 2015 15:16:05 -0800 (PST)
Received: by ykdr82 with SMTP id r82so101942394ykd.3 for <tls@ietf.org>; Thu, 26 Nov 2015 15:16:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=fw22l1jDXAPXoGmPK4hMF2jN3kB5DarpZpz/RnW5OgI=; b=rnwfMQvE427XnoHbnybq0+RU5ZIAhsOeJbbyw5VGvOR6mkxZ4m+Kyt5C7e9iwydidj eSnwxrbklYR6fEh7qkB0xYpI40dt2rn1Rc7CzNEUs8fILn+cyZSSHyq2d4goE6Z0vqZW h+xcxzjviiNM9wAqbjQIbDRv14sxfLHyhoPRoXyzuueyEOQoCiCZCJtmvPR/voefa9Fp /z28mdz+JFbwlcrPSi7wuNB8pTK5J++Cbi7/qxuwo4ZBLOoz6MRQlt8+Q7HWg67ff9Ur B/mGrwUS6YZU1dVfy9sszEdNSBexaWUY27uovcZjkLfRNhoznuZ+GFZozc/umZwc7ETM DE0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=fw22l1jDXAPXoGmPK4hMF2jN3kB5DarpZpz/RnW5OgI=; b=TEiMhctUace3evYPaXcLtojK4eFfnMEdTtU4fVgDcu+jaAalC7zl103z12JvH6KVMd EG6n1Vn80UtEpJL2HY70KKR+B99XqqzRkkWCqBH+Nt+W62GiW8XGVsB4vyqiBwXu7mkG gvadqg5omz8JOWBN7mubDyYrepsSIAT9EHlYdSeVFgPSB6SjHA97w2TPg/0zMuDPYNyC WooerZNQrADzEb8mUPTbtey+lwlAXAGsVv5zt5U5lT73Y596vK15R/cfmMnE/UuwAWy/ 4h6EgaAjg1NM5IPkTadpgYWb94VwzKdtUvmGP4U6xAnftMn4qOIUyqurzMrWznNSFhP3 SZBQ==
X-Gm-Message-State: ALoCoQnMBHvqlgIPr2FBi7fA5dLNHlKYtu8ebkuUYc7mf8A2dMEuxLejMjHkoRAS41x+HOQCOQ+1
X-Received: by 10.129.46.84 with SMTP id u81mr2863261ywu.129.1448579765163; Thu, 26 Nov 2015 15:16:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Thu, 26 Nov 2015 15:15:25 -0800 (PST)
In-Reply-To: <201511261803.30599.davemgarrett@gmail.com>
References: <201511261803.30599.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 26 Nov 2015 15:15:25 -0800
Message-ID: <CABcZeBP9_VPU7Vu-TiEvx18ZPFE2Wz9m+Ke2b0BrfEQGt6t=jQ@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="001a11409380550978052579c22b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/v2y9sLXNkauL4uPmao5osVojIJc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Replacing HelloRetryRequest in TLS 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 23:16:07 -0000
On Thu, Nov 26, 2015 at 3:03 PM, Dave Garrett <davemgarrett@gmail.com> wrote: > HelloRetryRequest is annoying I guess this is a matter of opinion. The main thing that comes to mind would be to provide a way for a server to > respond to a client with a ServerConfiguration, but not a hello, and put > group support in there (maybe a whole supported_groups extension). Clients > that don't provide the needed key would get a config and a fatal alert > telling it that it needs to use a supported group from that config. The > client could then retry as it does now or do 0-RTT with early data, which > could cut an RTT out of the current flow. (This is similar to the QUIC way > of doing things.) The server could certainly tell the client what groups it supports, but given that the server already knows precisely what the client's capabilities are at this point, there's no good reason why it shouldn't simply tell the client what to do. This matches the usual TLS negotiation model. For obvious reasons, if the client is to send data in response to the server's first flight (as you suggest) it's going to have to have an authenticated public key. However, that public key will need to be authenticated via a signature, which means carrying the server's cert, which means that we're encrypting much less of the handshake. In addition, you either have to have a statically signed configuration (which we've already rejected for the general case) or the server has to perform an online signature, which means that the server has no defense against computational DoS attacks unless we introduce yet another cookie mechanism. For these reasons, I believe that the current design is superior. -Ekr > > Dave >
- [TLS] Replacing HelloRetryRequest in TLS 1.3? Dave Garrett
- Re: [TLS] Replacing HelloRetryRequest in TLS 1.3? Eric Rescorla