[TLS] Pull request for 1RTT Handshake
Eric Rescorla <ekr@rtfm.com> Thu, 03 July 2014 14:54 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC2E21A0162 for <tls@ietfa.amsl.com>; Thu, 3 Jul 2014 07:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kb3GjjZpTO9X for <tls@ietfa.amsl.com>; Thu, 3 Jul 2014 07:54:44 -0700 (PDT)
Received: from mail-we0-f179.google.com (mail-we0-f179.google.com [74.125.82.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 513EF1A00F8 for <tls@ietf.org>; Thu, 3 Jul 2014 07:54:44 -0700 (PDT)
Received: by mail-we0-f179.google.com with SMTP id w62so370292wes.38 for <tls@ietf.org>; Thu, 03 Jul 2014 07:54:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=FX24DUatI1O8wE4VGFe8C4RO9VumIjxHBoavwApR9dk=; b=GEH6Qj/dmmcpWN+yIqMHEymbSyswk3JG2OLCagewXcwaZQoW9TrJFbYzsfhBE4K2JH +xxWJniYVFIt2T8NP8+GOyJTbnWhVpN9qU4cw4mzAl4fDSDz0vNmZRk/JipxAwmbx4m+ x5Q6P0yY1AXDFI8TT2TZAQsX/BxHI/QcKoZe1KOchzPnKHVbUXpAdriykKWQ3fSLLPAN VJShpv3H5cSrUQXsnby9WfOSxNEn/aCcodoMmLbeEGKUGTbXgUoNMwZHDvt/Lbq37RWS xVbYhVfXAClXt70zQ0LKAFwr3SFjcgq/rTbGvlBfPOCwrDwc8tevIw68KQwAsvYPsFpJ h+6w==
X-Gm-Message-State: ALoCoQmSDvnFx9lsIe7U/qWMeoDhwGzTa93VwD1XFMA+Lxhan3x50OlwwZl1n3HPubhs2yqTMxbV
X-Received: by 10.194.110.10 with SMTP id hw10mr5469577wjb.81.1404399280286; Thu, 03 Jul 2014 07:54:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.57.202 with HTTP; Thu, 3 Jul 2014 07:54:00 -0700 (PDT)
X-Originating-IP: [2620:101:80fc:232:d111:1560:5df9:5c3d]
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 03 Jul 2014 07:54:00 -0700
Message-ID: <CABcZeBNTJZo+ua6eV8H1Pwb2MqzD=o20=s+XkiQUL9fftspJrQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="089e010d870c39a49f04fd4b30e1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/x9a-XxO4ax3meclLNOU3IuHoyCM
Subject: [TLS] Pull request for 1RTT Handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2014 14:54:47 -0000
I've just put up a pull request that makes the first cut changes from the consensus from Denver for 1-RTT handshake without SNI protection. As we discussed, I'm leaving the door open for SNI protection, but since these are separable work items, and this is already a fairly signficant change I wanted to get the 1-RTT stuff down first. The PR can be found at: https://github.com/tlswg/tls13-spec/pull/52 It's still kind of rough and there are a bunch of open issues (and most likely several mistakes) but I think it's clear what direction it's going in. I wanted to explicitly called out some known open issues in the draft, both so I can get feedback/discussion on these and so that people know they haven't been forgotten: - Based on the mailing list and interim discussion and a bunch of private conversations, I wrote this up as requiring named DHE groups (and assuming we will want named ECDHE groups). This makes things quite a bit simpler and seemed like a good idea anyway. I recognize that I'm a bit ahead of the list consensus here, but my sense is that this was the emerging consensus. If there are major objections to this change, I can rework things otherwise, but I believe it will make things more confusing. - I have partly removed dh_rsa and dh_dss because they get in the way of having a common handshake pattern and nobody seemed to want them. Assuming nobody screams I will do a separate PR to remove them entirely. - We need to take care that we don't introduce a downgrade issue in the 2-RTT flow (Figure 2) where the server tells the client he has sent an incorrect CKE. There are some open issues noted in the draft about how to do this exactly. Comments welcome. - MT convinced me that the client should be able to make multiple ClientKeyExchange offers for different parameter sets, so I did that. - The EarlyData mechanism is a bit overgeneral as opposed to an explicit ClientKeyExchange extension, but it seems like it's going to be useful when we do SNI encryption and 0-RTT. - I haven't assumed we are going to incorporate ECDHE, but that seems like it's likely coming. Similarly, I expect to incorporate the triple handshake fix separately. - I haven't added any support for the server-offered extensions that were proposed in Denver. That seems separable. I intend to merge this into the draft on Friday. As should be clear from the draft and the comments above, there are still open issues to resolve, so even when it's merged in some of this is obviously provisional. With that said, if there's stuff that looks clearly wrong or there is an open issue that isn't properly identified, please let me know. Thanks, -Ekr P.S. Thanks to all the people who helped with earlier versions of this, in particular Wan-Teh Chang Daniel, Kahn Gillmor, Andy Lutomirski, Andrei Popov, Tom Ritter, Rich Salz, and Martin Thomson.
- [TLS] Pull request for 1RTT Handshake Eric Rescorla
- Re: [TLS] Pull request for 1RTT Handshake Watson Ladd
- Re: [TLS] Pull request for 1RTT Handshake Eric Rescorla
- Re: [TLS] Pull request for 1RTT Handshake Watson Ladd
- Re: [TLS] Pull request for 1RTT Handshake Eric Rescorla
- Re: [TLS] Pull request for 1RTT Handshake Watson Ladd