Re: [TLS] cross-domain cache sharing and 0rtt
Martin Thomson <martin.thomson@gmail.com> Wed, 04 January 2017 04:38 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1629B129537 for <tls@ietfa.amsl.com>; Tue, 3 Jan 2017 20:38:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JklNoT4QgWca for <tls@ietfa.amsl.com>; Tue, 3 Jan 2017 20:38:25 -0800 (PST)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F760129533 for <tls@ietf.org>; Tue, 3 Jan 2017 20:38:25 -0800 (PST)
Received: by mail-qt0-x230.google.com with SMTP id v23so13018780qtb.0 for <tls@ietf.org>; Tue, 03 Jan 2017 20:38:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3tdTXtRSrbG5F48M8PHqPgilzP+X0S9kgF7jtt73j7o=; b=fC+65bKzDnLrE0kIo9eCZcB31Yn3eIf3KhDS4uFtVWclECeiu9XcWysCnALiqsWiSF CXVu2hAxQahU9k4quqjws9mTxltSNKUEfDnv+KaEtBvVtDYnRkC5qomJSkrh5mqDyeD+ Xo8GvR21OYSiQkeou7RY75t0OZzqz5UaJuJkYFC97+o1dcALZj62ixDrP+42uMrIhImD uonl+utADCTNITGm1ricKlWlc8km2SWxCdm7+AGY1Wj+UUdwfFbaWU0MMOyNro6mhcAO 2/seafU2z9lwHNSUHfZ02UUeDRsZRQs28QjTrSjLk0oPDuJjcaKqMB3+vZ21t+wUA9sM Q2fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3tdTXtRSrbG5F48M8PHqPgilzP+X0S9kgF7jtt73j7o=; b=d7EMtwjEtRm2S/duZyCrOjI8b7DA6pGgeagkQHtB4Qjuy3F3GZD8m8tTPylz8aBDHQ UwfUEdauFdAJqvpeJYa9t2ONK37VC8dFCCXchBjbuk9csJFNGprK2+UUd/T0tSlqC+VO i4qYu27itHw2ELs+enLttWtpxEvrhKhg08s7CKgiPrOBqUHGeTHom7oXcHirsBCoY4d/ iFiYSbupMocTnlRzT7ExGAsBp+KkAjHAobdo6fZ4Vq+MvMJFJkhYpJdHlVw09jNzs7i2 bUx+M6fpPt/rXKYXKVwWVuj7u9yZUCvYJAmfAam+OjxdTrA03WHZ9QkciLxlSpMKlguO 8MvQ==
X-Gm-Message-State: AIkVDXLo4Dpgv7nf/7ainjgwDPDWEKQ00XC7WdL6Y6XwzhCX+9sZHH+0VHPY6mlSnGRxlMwmo/D1gBNI6I9MPw==
X-Received: by 10.200.35.14 with SMTP id a14mr59661027qta.159.1483504704423; Tue, 03 Jan 2017 20:38:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.38.233 with HTTP; Tue, 3 Jan 2017 20:38:23 -0800 (PST)
In-Reply-To: <20170104042901.GA21843@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <79db4a88-e435-2e5b-47a5-9048acef45e2@cs.tcd.ie> <CABcZeBObcWUjdHhysLG1K0TbJfiqN+XCERn6WaMjWzgU0XC65A@mail.gmail.com> <582703ab-4340-35e7-a3d2-45dd606f10a1@cs.tcd.ie> <CABcZeBMx3zJ07pbj0bPBMrAcrK_Q4HVDcbCx_2B1DnyCOJeE-g@mail.gmail.com> <CAMfhd9Xt400wyOqvREWMXPL2_gsAJsZRqmRAFLq9tKzOKuqnjA@mail.gmail.com> <20161230124420.GA11229@LK-Perkele-V2.elisa-laajakaista.fi> <5e06f30a-2f29-0c1f-432b-ed02c7f6c5ae@akamai.com> <20170104042901.GA21843@LK-Perkele-V2.elisa-laajakaista.fi>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 04 Jan 2017 15:38:23 +1100
Message-ID: <CABkgnnX8-uMHz=fO5rFcJ=PpT7+nL88uTY7Rz5MBL99+imdYfg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wYgwUqhSIpTMzSZmwiguUTPM9GY>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] cross-domain cache sharing and 0rtt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 04:38:27 -0000
On 4 January 2017 at 15:29, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: >> Naively, if s1 and s2 share cert and private key, and ignore the SNI, it >> seems like redirecting a full handshake would work. But I didn't think >> about it very hard. > > Actually, I think it would work if you merely have cross-valid > selected certs. No need to share private key or even ignore SNI. That's almost ignoring SNI. You are X but will accept a connection for Y. It's certainly true that you don't need to share keys, you share valid credentials and are willing to use them. Either way, your point is well made. How servers identify themselves is bound up in how they expect to be identified, which is often ambiguous intentionally. For example, it's common to have a single deployment configuration across an entire cluster and to rely on SNI alone for picking a certificate. That way you simplify management and don't have to look at IP addresses or anything like that.
- Re: [TLS] Requiring that (EC)DHE public values be… Martin Rex
- [TLS] Requiring that (EC)DHE public values be fre… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Eric Rescorla
- [TLS] cross-domain cache sharing and 0rtt (was: R… Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Eric Rescorla
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Brian Smith
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Richard Barnes
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Bill Frantz
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Scott Schmit
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Dan Brown
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Peter Gutmann
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Colm MacCárthaigh
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Martin Thomson
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Kurt Roeckx