IETF Logo Mail Archive

Re: [TLS] Separate APIs for 0-RTT

Colm MacCárthaigh <colm@allcosts.net> Wed, 14 June 2017 22:47 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 428361294E7 for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 15:47:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C4Gh9QNeptyU for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 15:47:42 -0700 (PDT)
Received: from mail-yb0-x22a.google.com (mail-yb0-x22a.google.com [IPv6:2607:f8b0:4002:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1CAB1293E8 for <tls@ietf.org>; Wed, 14 Jun 2017 15:47:42 -0700 (PDT)
Received: by mail-yb0-x22a.google.com with SMTP id t7so4526665yba.3 for <tls@ietf.org>; Wed, 14 Jun 2017 15:47:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oQ96rCopnmopmhYvHWC6z+0vRD6uMC47JJpM+M36b7I=; b=ERmHzirrSD/TNp98gL6WX+5EGaQDg6Wfl7vwcocB611WnUjJn2xyf0C/VXbMZLdcNt 1sscl2bzsopcQ8vO7BGDpWhC9+TLM8dJiFtywks5De+7vxKOksFb7BriAl4lh5Qgc5BU HCKifcG6hNeSbRZG1ZCOtsaikdslfjSSbZVjNa18ptn+alci0ojw7lZEUOJ7hsxsjZVP ND+a8GB/1IQ8gFE+GvTpIMgTt7vn0zqLV0tI+KM1Irm4pp4z5LwAo1eKeOJbm5RN6G77 wyodMRcm6VzUCknefSnLmRqRF4OiK8zzsdXIpjqs8rva+Vi2GozlsrYubTJBFi7OMh1J IYNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oQ96rCopnmopmhYvHWC6z+0vRD6uMC47JJpM+M36b7I=; b=NkYOWjPqnGhFqdxeJ1YNYUQXqgVSxuLU4q5MQdaWhs61Yln2/WpVnhj1K0yC3qP1Dl F9a86rP5A2xezRHza9As78rBjVv+YbpPex2VtDcVrJ/IWTIWwhfTypEpN87gR0nRH4tq VTW2BE9H3IirGJOi2e3F2HlgR0siKqfVbqL61KakwrW07KxI6zTOhtsa2Q7+sU5EjePO 6j+kva44h8ew0GkyuSAIaCza8Xromgh4S8bCaS/dKG8U4qgYXW+2EPxPQYmCCTsO82lG oZseU5brytVdDv5OgHOPmUwrh+xeDroPv6m1j4u9s2jTlKO4QhBjHk9uTcev4NEWi9Ec GxXQ==
X-Gm-Message-State: AKS2vOxbqUxc8/AoMJE8Clr4sIKe6Psx3/wvTmqFtGoF94aEYrIchMkp 04AJ6CXsdAxymUCipjL/7YpV6PORTS8X
X-Received: by 10.37.50.5 with SMTP id y5mr2018945yby.204.1497480461983; Wed, 14 Jun 2017 15:47:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.93.70 with HTTP; Wed, 14 Jun 2017 15:47:41 -0700 (PDT)
In-Reply-To: <CAF8qwaCwHYJP3p569CAN-9Fmd_ddDjg9d9wPi8j3uSrno_wHyw@mail.gmail.com>
References: <CABcZeBMpeBhcKoJYuMwLyER0VBh+RtVr6amWMPos3CJipXYHcA@mail.gmail.com> <DM2PR21MB00916718A71749E5D2CB19C38CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <CABcZeBO+Qprg4DTwNJrFU1PXDPyKbbdakMrF9fhe02jRL50cow@mail.gmail.com> <8e206c83-645f-6389-a7bd-ddd51e747ea2@akamai.com> <CAAF6GDfyqMndibTujY83_Xha2dZn7qvaCpZJw7xZ--b=-EOaYA@mail.gmail.com> <bf4506e7-13ce-ce7f-d20e-67a0d73c642a@akamai.com> <CAAF6GDePg9FL0JgzrWrTcrK7X=J0_fKjHVCj9EScvyQobJWTKA@mail.gmail.com> <20170613183536.GA12760@LK-Perkele-V2.elisa-laajakaista.fi> <63c8ac33-489c-0ace-d4ba-b960cd965281@akamai.com> <DM2PR21MB0091B8DC8780B4FA67464F0A8CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <20170613205530.GB13223@LK-Perkele-V2.elisa-laajakaista.fi> <e5ab9945-054b-67bf-beef-9fce7a4a6f36@nic.cz> <CAF8qwaCuDk3oemXeKyEzzRgg2oCMA22qMBXQaL4YW3yWAeXUvA@mail.gmail.com> <DM2PR21MB009176844759F65141E1D6EA8CC30@DM2PR21MB0091.namprd21.prod.outlook.com> <CAF8qwaCwHYJP3p569CAN-9Fmd_ddDjg9d9wPi8j3uSrno_wHyw@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Wed, 14 Jun 2017 15:47:41 -0700
Message-ID: <CAAF6GDfRJKgCbSW+eRpmkRSWQ0tz5-h12BxRB+gSGQk=0i-VFA@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, Petr Špaček <petr.spacek@nic.cz>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1146df52febcdc0551f3567b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vr0eDHsWRZq2UFLLZ9NMJwBRLKI>
Subject: Re: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 22:47:44 -0000

On Wed, Jun 14, 2017 at 3:23 PM, David Benjamin <davidben@chromium.org>
wrote:

> That is, it is not the identity of the bytes that matters much. It's
> whether the connection has been confirmed when you perform an unsafe
> action. I believe this still satisfies the properties we want, but without
> breaking standard interfaces. Very near the TLS stack, at the point where
> the record boundary abstraction starts leaking (it's common to only give
> you back a single record on read), either API is equally easy to provide.
> The looser phrasing is needed for composition once you start going up a
> layer or to.
>

Suppose a request, or a frame, spans two different client certificate
authentication contexts (or unauthenticated, and authenticated); how is
that handled today? or is it just forbidden?

-- 
Colm

v2.23.0 | Report a Bug | By Email