Re: [TLS] Adoption call for draft-sy-tls-resumption-group
Erik Sy <sy@informatik.uni-hamburg.de> Tue, 16 April 2019 08:36 UTC
Return-Path: <sy@informatik.uni-hamburg.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B1C7120361 for <tls@ietfa.amsl.com>; Tue, 16 Apr 2019 01:36:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NAGT5Xx7F6ST for <tls@ietfa.amsl.com>; Tue, 16 Apr 2019 01:35:57 -0700 (PDT)
Received: from mailhost.informatik.uni-hamburg.de (mailhost.informatik.uni-hamburg.de [134.100.9.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 422BC120354 for <tls@ietf.org>; Tue, 16 Apr 2019 01:35:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailhost.informatik.uni-hamburg.de (Postfix) with ESMTP id 5CAAAFBC; Tue, 16 Apr 2019 10:35:55 +0200 (CEST)
X-Virus-Scanned: amavisd-new at informatik.uni-hamburg.de
Received: from mailhost.informatik.uni-hamburg.de ([127.0.0.1]) by localhost (mailhost.informatik.uni-hamburg.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id mCwhHm85YziZ; Tue, 16 Apr 2019 10:35:54 +0200 (CEST)
Received: from svs26.informatik.uni-hamburg.de (svs26.informatik.uni-hamburg.de [134.100.15.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: sy) by mailhost.informatik.uni-hamburg.de (Postfix) with ESMTPSA id 8647EFBB; Tue, 16 Apr 2019 10:35:53 +0200 (CEST)
Reply-To: sy@informatik.uni-hamburg.de
To: Martin Thomson <mt@lowentropy.net>, tls@ietf.org
References: <4f21da8a-a30c-4255-9400-aab3a599fb9b@www.fastmail.com> <9ae5725b-c0a7-4602-bd0a-da04509db62a@www.fastmail.com>
From: Erik Sy <sy@informatik.uni-hamburg.de>
Openpgp: preference=signencrypt
Autocrypt: addr=sy@informatik.uni-hamburg.de; prefer-encrypt=mutual; keydata= mQENBFdYdRoBCADpTVcxZw2Z+3IEm8QgmYNdzKQdCPnDm3mvV+dskI2vNuhAM7eTHE62Ibl8 TD08JJ0Q5DbaHLZBYZR7dVc6Vw+p5Ns5YM5MpDH4rcJTm9FR/QgJ94dH0dOKwtq9gMhLdlhV N0v/OgDb7YdfNYzhthVc3MUxBEznspDaBsGXCASM98SvCaovrhDU05OyIIq6yaIZc6W1ad8z oLn3kZ1O0NkJFuS2H6W1Sg6+af2980SagRTEntr/U6y9wKrKMr0woPBkgYjjivW31yRpjbW0 FClGr/WamdETrJFMTnn6Zc4tELj4pI5T/3jsSCuJ+Mf0fxGIoznG1xW09E5KoT4RBQZ7ABEB AAG0JkVyaWsgU3kgPHN5QGluZm9ybWF0aWsudW5pLWhhbWJ1cmcuZGU+iQFBBBMBCgArAhsD BQkFo5qABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCV8aJfQIZAQAKCRB4ziXHIWIRJSVz B/wJ1qq82vLrjp+4GOUJf3w23FGK3gtK0THs7VVwtZD+xRGYOzoMG+my0TscPZI5drHnZJeK vYmx+bz0IvJSW9DgYib5kUKtz2qPmj0HR6qW7o5opbIMWmkZJO0ACUEI3pAX+j7O3nEApijT 6dg3XhkLdRBgKVHD6x7n8a0ZbYEta6Co0vmPSpIU8XL1B0MmC9fC/L85kH3MBU0bNA4QU0b+ I9ojylgLnqHhIL39mqpJ/cRfCkuzWeeyFvvD+EGMBVxVKVu7ULNk4sKvqutsoYV6GQ7pAx+O pCKQO87M8aeMF7ytpQ67WGscqCO6IWO5tqDXX3aV9MCswPsuwn+PGjAguQENBFdYdRoBCADQ HO0cmKfEv9y5WW6sXJdnn7PEknFyiI9HoCULGVJi4vWyqYoQBGAM8wWRAVstm8zhqIWTlKR2 EntH6JBQB9dkUtmvuVRBBXs9SSloZU4R7SDysuTmDo3derqbIcomtyTkbfxYI50EQayL8TgR sA6jj9OJzyeywX3c+Nr6G8a0kVvCB97I1qLO5RA1tTIxTiXJMbL+E3CurUIMAakxbuqfH3SV mtH+lmlvGzvUF9mI4a5xti1Jkl/k6p2Q5z3nLt6MgkC9n47BSvrzelIr526FzNTamFIVb4fT /QnC33IydbaVQZaOYD9wi9dHTRBaeAF5a+zY5MCUu17GV3jR36SVABEBAAGJASUEGAECAA8F AldYdRoCGwwFCQWjmoAACgkQeM4lxyFiESV1zwf+PwKloXwIb7450kQq/OukJ90o9jkfGMz1 uC84E/HoYaz8KBUJVmx07zYi0zopAn2Pvh+HtTB6NzoGoRvmvajVa3lWRVeytgtJp+YqdcJq mKa+c1MsrJD2iMr3jMLB70bWT+GA8Moe1Slw4+/c+BndlwnfA5B54PVHjnZtaJDVsyVO1dnj gPReP6YNOQP/AgGexfSqUMYI/ni1QKwMT8e806hc48zT2A1ZnBit5PkGjzvQU0Qoel6Cwj3R uzZJgC5iEdX6kxMEOB0mD6zSKzBg4FNn2r3kUQ24IhbTuMm6/aCv6YlObR8HHkqXcQF6/BTH jlkuqsjIxOXZXqe4DeUnhw==
Message-ID: <2e691b63-2108-2d25-4b2d-7c56ce79d583@informatik.uni-hamburg.de>
Date: Tue, 16 Apr 2019 10:35:52 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <9ae5725b-c0a7-4602-bd0a-da04509db62a@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vOE7Mlcphxf4DWBngRgaU4ULCJ4>
Subject: Re: [TLS] Adoption call for draft-sy-tls-resumption-group
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 08:36:00 -0000
Hi Martin, can you please explain, why you think this is not the right solution? To start the discussion, I provide below some insights on why I ended up with this solution. Question 1: Shall the problem be solved by a cross-layer solution or by a TLS-only approach? Arguments for a TLS-only approach: + It is simpler to solve the problem within TLS + TLS resumptions across SNI values are available for every use case of TLS + So far, there does not exist a mechanism in another protocol which can be directly used to indicate feasible session resumptions across SNI values Arguments for a cross-layer solution: + Context information of other protocols such as HTTP and IP can be used to fine-tune resumptions across SNI values Question 2: Shall the TLS resumption group be defined as a separate list provided by the server or cover the entire SAN list of the certificate? Note, that it is a strict requirement that resumptions across SNI values are only conducted if the involved SNI values are valid for the server certificate presented during the initial connection establishment. Arguments for a separate list: + Flexibility, to define the resumption group without some entries of the SAN list Arguments for defining the resumption group as the entire SAN list: + smaller overhead in terms of data traffic + Simpler and hopefully avoids new security errors that implementations allow to conduct session resumptions to illegitimate SNI values Finally, I ended up with a TLS-only approach using the entire SAN list a resumption group. However, I do not claim that the provided lists of arguments are complete and would like to encourage you to contribute to this list. Thanks, Erik On 4/13/19 06:10, Martin Thomson wrote: > I like the basic idea, but I don't think that this is the right solution. I realize that we can adopt and fix, but I my preference is to have a little more time to discuss solutions before we adopt anything. > > On Sat, Apr 13, 2019, at 09:35, Christopher Wood wrote: >> At TLS@IETF104, there was interest in the room to adopt >> draft-sy-tls-resumption-group as a WG item. The draft can be found here: >> >> https://datatracker.ietf.org/doc/draft-sy-tls-resumption-group/ >> >> This email starts the call for adoption. It will run until April 26, >> 2019. Please indicate whether or not you would like to see this draft >> adopted. >> >> Thanks, >> Chris, Joe, and Sean >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Adoption call for draft-sy-tls-resumption-g… Christopher Wood
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Martin Thomson
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Erik Sy
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Martin Thomson
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Victor Vasiliev
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Erik Sy
- Re: [TLS] Adoption call for draft-sy-tls-resumpti… Christopher Wood