IETF Logo Mail Archive

Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01

Kurt Roeckx <kurt@roeckx.be> Wed, 19 February 2014 23:03 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D4FF1A0504 for <tls@ietfa.amsl.com>; Wed, 19 Feb 2014 15:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBPs1m3MAkEo for <tls@ietfa.amsl.com>; Wed, 19 Feb 2014 15:03:25 -0800 (PST)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) by ietfa.amsl.com (Postfix) with ESMTP id 8AEEC1A02A1 for <tls@ietf.org>; Wed, 19 Feb 2014 15:03:25 -0800 (PST)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id 6953B5AA001; Thu, 20 Feb 2014 00:03:21 +0100 (CET)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 3FB3C1FE016D; Thu, 20 Feb 2014 00:03:21 +0100 (CET)
Date: Thu, 20 Feb 2014 00:03:21 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20140219230321.GA17551@roeckx.be>
References: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com> <20140219221025.GA15593@roeckx.be> <CABkgnnXGhNw40qJ5qFf_YoHT57jFuhH_P7CBT697WC3WESp4ew@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnXGhNw40qJ5qFf_YoHT57jFuhH_P7CBT697WC3WESp4ew@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/wxhF__-BO8oaEazI9n3GI0oxT5w
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2014 23:03:29 -0000

On Wed, Feb 19, 2014 at 02:24:48PM -0800, Martin Thomson wrote:
> You could put half of the first round trip in DNS, but that's a fairly
> major change to the protocol.  Note however that the ServerParameters
> described in the draft is something that could be discovered through
> other channels, definitely.  No one is checking where
> PredictedParameters came from, just that it is correct.

I'm not saying that it's the only way, but it could be a way that
some sites might want to use.  I also think this doesn't add any
additional RTT on DNS, you can run 2 or more queries at the same
time.

> On 19 February 2014 14:10, Kurt Roeckx <kurt@roeckx.be> wrote:
> > The only reason I can find in your document is to prevent replay,
> > but I currently don't see how this is a problem.
> 
> If I had any reason to believe that your first flight included
> non-idempotent HTTP requests of interest to me (e.g., transfer $X to
> account Y) then replay protection is extremely interesting.

I was only looking at this from the client side for some reason.
At the server side I ussually deal with this at the application
level instead.


Kurt

v2.23.0 | Report a Bug | By Email