IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt

"Christopher Wood" <caw@heapingbits.net> Sat, 05 October 2019 12:06 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A8A212018D for <tls@ietfa.amsl.com>; Sat, 5 Oct 2019 05:06:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=qUiqw83R; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=t5zZYpS5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvkMas2bJBgi for <tls@ietfa.amsl.com>; Sat, 5 Oct 2019 05:06:26 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 866DD120116 for <tls@ietf.org>; Sat, 5 Oct 2019 05:06:26 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id E9546268 for <tls@ietf.org>; Sat, 5 Oct 2019 08:06:25 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Sat, 05 Oct 2019 08:06:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=2GsxEUIm1rYHjMR/5m2VL6Q3jBqDJpa AdmBU/dPDWZk=; b=qUiqw83RNW30/+nnycLEHEa5Ar6Fq/yvGm3CvhQ3+sYzCLw aEXSXHG/6sh9sjh8QKKrTDciSaywRJ2E6Y9KdW0o/LhYvpW5NcIHg7+a4+u5AbL5 EI56JhHAN/w5P40F/ezXBBEbHptlfiOuxGI9Rj/I1mLhdIdYrrXthrKgCxtShE9/ JN7+y9jHLCJsbIDJ1QaY+NtphXuE1d9mLQVNxnajh6sCerrMwtjiYUCRrVfSo01Z LuuP2UK7hEFUnJIOAVqCbXkmwM33WSBpnVwJg+DVI6gxLulrOcUDbTmhUPU/VCFL lzrP4/yw5AE2bnRnKuR1pG2zk2lYHN27j4Cp6Kg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=2GsxEU Im1rYHjMR/5m2VL6Q3jBqDJpaAdmBU/dPDWZk=; b=t5zZYpS5pDzuaaHYj3MNsv zR9p5kTo6zv1/FrLd56636IbPwxbdKTvzAK06RohmdYm2SDDIRW/CBxfrkVErTW2 T+AbJ/w/IJVxk/G9G+q8JtpTCiNUQGE5l79K98GJdv5Dt0NzziyQMBmzEmW05I6L QPY+eVh5fDy083s03oTiAti/yMkb2wnsAY5Tj4gBvmQzf2+6+bQRp4xiTHCJED45 pvXButPobwlLgTf01+sFORp6vTI+tgjpERp2FJmWYP1mhit8H6BofmexfNqTwfHs +xC9JsuTCnmeCSrx1Jugww0MldtPM5VmU0TzZ6yR4lvcf4dypohW8eiQRYtQ606g ==
X-ME-Sender: <xms:QIeYXQIxu7_s7o0O5nC9V3_w4_B4FEJh1tTpbphniwBmJDcVCKOMcA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrheefgdegkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggrfies hhgvrghpihhnghgsihhtshdrnhgvtheqnecuffhomhgrihhnpehivghtfhdrohhrghenuc frrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvthen ucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:QIeYXTqPVSF_WMZbJ34BEYQAAwoPUjvmaOrf1Na2zu5JaKbwFm-QSA> <xmx:QIeYXZO-pSvqFr9goAT01PjM5ihR4NwlD7GqklDeFp7Gzj1OGkxRAQ> <xmx:QIeYXQPTSHbjxXw8ULrvwDANpPZVHLG1qztdBzjvLBJjyEBzhPnEpg> <xmx:QYeYXXmYxs62ZL-E47TDZbR-RloQvMSd5LwrFH4rYYrQ3wn7-OvewQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D87563C00A1; Sat, 5 Oct 2019 08:06:24 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-360-g7dda896-fmstable-20191004v2
Mime-Version: 1.0
Message-Id: <9805f0ea-065f-48be-8514-1b8ff3373f7b@www.fastmail.com>
In-Reply-To: <F21EF885-96B5-411F-B79D-87EEB9B046B6@dukhovni.org>
References: <156962803631.24993.3421537129925787732@ietfa.amsl.com> <20191001145600.GU21772@straasha.imrryr.org> <20191002230402.GF5002@localhost> <c301f241-33fb-48f3-a55f-b53824180be2@www.fastmail.com> <F21EF885-96B5-411F-B79D-87EEB9B046B6@dukhovni.org>
Date: Sat, 05 Oct 2019 05:06:04 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/w2c_OeGxoq5poIQWxvkspIibnzE>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ticketrequests-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Oct 2019 12:06:28 -0000

On Wed, Oct 2, 2019, at 8:44 PM, Viktor Dukhovni wrote:
> > On Oct 2, 2019, at 11:20 PM, Christopher Wood <caw@heapingbits.net> wrote:
> > 
> > Asking for one upon resumption seems reasonable to me. Thanks to you and Viktor for bringing up this case!
> 
> Thanks!  Much appreciated.
> 
> My other point, which I probably obscured in too many words, is
> that a client that prefers to re-use existing tickets, would
> normally want to ask for 0 new tickets, but this should not
> necessarily preclude the server from issuing one *as needed*
> (STEK rollover, ...).
> 
> So there is a difference between a signal that tickets
> are simply not wanted, vs. wanted only *as needed*.
> 
> Do you have any thoughts on how a client might signal this?
>
> The use-case is clients and servers that don't make use of
> early-data, and don't need to avoid traffic analysis.  For
> example, MTA-to-MTA traffic, where the client even identifies
> in clear text with "EHLO".  Here ticket reuse is the norm,
> and renewal is only needed as tickets age.
> 
> [ I hope I managed an suitably concise description this time... ]

You did indeed! However, as I'm not sure we should be encouraging ticket re-use. I think asking for 1 upon resumption would be the norm, which should address this case. (That is, I'm not sure adding more information to the signal to support the *as needed* case is worth the added complexity.)

Best,
Chris

> 
> -- 
> -- 
> 	Viktor.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email