Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
Eric Rescorla <ekr@rtfm.com> Sat, 20 February 2016 00:03 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4471B36A6 for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 16:03:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpY2PCYMKwnj for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 16:03:25 -0800 (PST)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B899A1B3618 for <tls@ietf.org>; Fri, 19 Feb 2016 16:03:24 -0800 (PST)
Received: by mail-yw0-x22a.google.com with SMTP id u200so80186337ywf.0 for <tls@ietf.org>; Fri, 19 Feb 2016 16:03:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=O1KiRap2HDwzvmI6FfZO1gMq+XwtczYFMPn8PplAdBg=; b=Uqsxc4kGgLodewZVhUX1NfRkr8dVyhwj9InL8A8l7CrdW2Q/93+JOcI/lvi4CdvrFp 1Phlb/G2SovLNQnxMFoKNcXcglrXHk/yIapyqHObLGPO5wQLWkYJCtO0V1H+zMM2aHl7 a38NG+A13ABePtcLhZib9P6HwWBEi8oik978BNLla95BHjRf8mnKMYjWcL8qx/CgdRqW /VqYQvLTyFtRp/U5fzWby1YcZRNiiotHvukvnorpUynGeHpAq2aA6NKPONPk9yfocsfE GnQ7FeLXgDOpQK7Mx2bv49o6wo61uS/Y+4X7H3ZDwkE+g+c4MEh27Aar8WEHXjlcvu0B ozsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=O1KiRap2HDwzvmI6FfZO1gMq+XwtczYFMPn8PplAdBg=; b=StB7rNWpaKlyBKd8PWUkOfnaKJtOS8Yo3pY6xWncr2irmM/nOok2NN/psoA9XyxTQ/ p1gSRkr5310kFmW309fGm1R8k9st0wsxUYDPWo5URpUeQAZn5YceVra20U2VZ5ZPTTEO Z/22Yj2Utn/K++g/iKr8stXN4eurmUveIurHT7NHHk96X1vCMhNCt5uJk9YDUe/vaECS lP/gOXNMUzK5Tdec/Q4SUhwqTzTFiKU1KwQ4CmiaLtoK3gjkUoQe9i/MFOHJ50Zh1+G4 CULWPYqEAZH7RILBonYh7joExio+ka9F0FEk8pQglzYYMkM3zlBbiJCNgg0aVZuzj0rR SpYw==
X-Gm-Message-State: AG10YORJkZq5ueH3OLQmbZo4US83o8mHmOy741o36K7dt20lZsxn1FOC7gbY/VMaKwF7AZV+rWUsSU0ADJJo1g==
X-Received: by 10.129.73.207 with SMTP id w198mr9212660ywa.223.1455926603999; Fri, 19 Feb 2016 16:03:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Fri, 19 Feb 2016 16:02:44 -0800 (PST)
In-Reply-To: <201602191815.10375.davemgarrett@gmail.com>
References: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com> <201602191708.20869.davemgarrett@gmail.com> <CABcZeBNwaLUgDoZZuk9ZQR9bOU2t-0DvC-jRoyMuzCuKmJ+yiw@mail.gmail.com> <201602191815.10375.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 19 Feb 2016 17:02:44 -0700
Message-ID: <CABcZeBOrLnSrQXEYZGdNLFD+KyoCHj=NT=RWfcP26hK6XyMbzQ@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="001a114dc91c0d1f82052c2854dd"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vZ0ZYHuST-Oj7BJ0_Nvj8luMt58>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2016 00:03:27 -0000
On Fri, Feb 19, 2016 at 4:15 PM, Dave Garrett <davemgarrett@gmail.com> wrote: > On Friday, February 19, 2016 05:24:25 pm Eric Rescorla wrote: > > My impression is exactly the opposite. All the infrastructure to > PSK-resumption and > > hence PSK-0RTT is already in place for TLS 1.2. And of course > PSK-resumption > > is also much faster. > > That's good to hear. The perf advantage is why I'm not advocating dropping > it; merely saying that I too would prefer a single method if it didn't > loose capability. Dropping PSK resumption drops less than dropping DHE > 0RTT, but keeping both seems like the best option at the moment. > > > On Fri, Feb 19, 2016 at 3:08 PM, Dave Garrett <davemgarrett@gmail.com> > wrote: > > > It would mean that TLS only has 0RTT resumption and not actually have > any 0RTT sessions. > > > > Why do you think that this makes a material difference? > > One of the fundamental complaints about TLS, performance-wise, is the > added round trip time over plaintext. That's why the WG made a point to > focus on adding 0RTT in the first place. Someone considering upgrading from > HTTP to HTTPS generally has this concern (or any other protocol to a > variant over TLS). With only PSK resumption, we can still always have a > 1RTT hit on first connection, and revert to that after the session is > considered expired. With DHE 0RTT we have a longer term config that could > allow for more generic caching and distribution and thus not have to get > that 1RTT hit in many scenarios. > > The lack of a current ability to easily distribute a new config system > should not be used as evidence against creating a new config system that we > would want to create a way to easily distribute. Even dumping the top few > dozen sites' 0RTT DHE config into a static file in a client update would be > a noticeable improvement over not doing so. Coming up with a better method > can come next. > > People should be using TLS or encryption in general as a matter of > responsibility, but they don't. Softening *all* barriers to them upgrading > is very necessary to get more to switch. 0RTT PSK only gets rid of a delay > in continuing a session, which in some use-cases might be minimally > noticeable. 0RTT DHE allows for a first-connect with comparable speed to > plaintext (in scenarios where 0RTT data is safe, namely most HTTP). Within > the context of HTTP, which is singled out as a focus in the TLS WG charter, > 0RTT DHE will provide a more noticeable latency reduction in comparison to > 0RTT PSK only. > This seems to basically come down to an assessment of how likely it is that we in fact will have an out-of-band priming mechanism. My sense from talking to the people most likely to deploy such a thing is that that's not actually very likely to emerge. Note that we're primarily discussing what has to appear in TLS 1.3. If something like this emerged it can be added in a future extension. appreciate that this is a judgement call and for a long time I leaned the way you are arguing, but lately I've started to feel like the arguments to the contrary are fairly persuasive. > Another issue is that of privacy with session resumption. If the only way > to get 0RTT is to keep sessions alive, then clearing that cache on the > client side costs a future 1RTT. You can, however, cache 0RTT DHE configs > safely for a longer time because they are not specific to the user agent. > (we should probably narrow the spec to state that configs SHOULD NOT be > per-client) In order to reliably get 0RTT without DHE configs, > applications/services would need to cache PSK resumption sessions for as > long as possible, which leaves a distinct per-user marker on both the > client and server. Anyone trying to optimize away the 1RTT hit of > first-connect will be required to maintain a system that keeps more user > identifiable information than we should want. > I don't find this argument very persuasive. The server need not store any information at all (because it can use tickets). As a practical matter, having the server's config leaks the fact that you had contacted the server just as much as having a session ticket. We already see this with HPKP and HSTS information and that's definitely public. -Ekr
- [TLS] Do we actually need semi-static DHE-based 0… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Bill Cox
- Re: [TLS] Do we actually need semi-static DHE-bas… Salz, Rich
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Scott Fluhrer (sfluhrer)
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- [TLS] Mass 0RTT of subresources with no prior kno… Dave Garrett
- Re: [TLS] Mass 0RTT of subresources with no prior… Martin Thomson
- Re: [TLS] Mass 0RTT of subresources with no prior… Dave Garrett
- Re: [TLS] Mass 0RTT of subresources with no prior… Eric Rescorla
- Re: [TLS] Mass 0RTT of subresources with no prior… Ilari Liusvaara
- Re: [TLS] Do we actually need semi-static DHE-bas… Nick Sullivan