Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
David Schinazi <dschinazi.ietf@gmail.com> Thu, 21 November 2019 03:19 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8955E12022A for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 19:19:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXcTgxVw58zi for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 19:19:50 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8D4A12006E for <tls@ietf.org>; Wed, 20 Nov 2019 19:19:49 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id q28so1347118lfp.2 for <tls@ietf.org>; Wed, 20 Nov 2019 19:19:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=kzGDwEV4QIZLOyiXF+x7xBLKz9zva4//4a1MkZhy7Io=; b=XNzHErmB6ogv5qqikNOVm+MXlQAN04kNSfc/TeL84D50D7UiQoDWVTPfCe0Y/14Fk1 cRhBprrTrb8PNmoX601tkTMWWuX9j92jfFUR4/ZtLEBuMus/NKM3L73yALebAmvCPsGy 6dchcR3a1ZcneeJmObcNQzmRw/5awwdaKPgPH0qNg6er6KeqCvAZde2uMx2EK6Wt2+uT +RqZ5jbJaIEQfy/dFps5DUiO06Nu8ZCNOMea5l9rTexlhP/Ark+YlBnjCHvXmLfBoZjw yT7uYhYPbC/L+qwyLvwqR1yetuNQlV3F4KzgPU4jCGH47Q3Yrji3aATDAsd/c+z0b6ZM gkww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=kzGDwEV4QIZLOyiXF+x7xBLKz9zva4//4a1MkZhy7Io=; b=qnwEAqzwkaYrbbCKMwMh9cOVWYpA8o4dter3DQWUTPOAm6YR4+7cUmr39QaoxDRtzs 9H8WrzlRTx8ZHvJBdmRyhmQPSgUTzXIRsnHNp2KA0NF0lubUJ0DGF+ElOLYSj/+AUf3a GB8YOBYLlvHItgNVUwOh1HY0BLxtSRA2d7/lnjWfoV2SSK0MmkU3QkdW5kH+vvWdEzIo la8P33NABmwmCCpFCNDIW/VFdLf/wm+qAqtWF0hyvDDounoDrFvnkDh05D7P+gcX0G1F 87K7PQFfpLE/OMIXxYKpfErmJ5QVO0xj7C0FKypjoJzHJ0JTm1FvUmuwOd0iUTZqlkjw 7ZrA==
X-Gm-Message-State: APjAAAXnfgGKIifTjg/9OwTGfqNlNFTbwSoXDDvou1dUrUcVlCP2Ld1+ Tcv5nOiUdM1v0OrIIKlWBMNbydBcZD0cJ+rWW90GqqZKOAU=
X-Google-Smtp-Source: APXvYqwsmV29R6HfXF6dd3v97upYPTZuYo1YZy/IQjfYG3VSxHoLJ3Uyw4qbE6n8LDTPCVp312bF+h6hFQYMoOkxo3g=
X-Received: by 2002:a19:22cc:: with SMTP id i195mr4344675lfi.148.1574306388079; Wed, 20 Nov 2019 19:19:48 -0800 (PST)
MIME-Version: 1.0
References: <20191116103855.GQ20609@akamai.com> <20191116110425.GR34850@straasha.imrryr.org> <556d2210-4af7-b398-fbd7-eab2685d7c62@wizmail.org> <20191116210617.GS34850@straasha.imrryr.org> <20191116235952.GR20609@akamai.com> <20191117002249.GV34850@straasha.imrryr.org> <CADZyTkmaUVj=sFdgg93MuM2au0B=1M1k3yCA1XDoaAneVDmnNw@mail.gmail.com> <14690874-E301-4BC0-B385-00DEBCBA94C2@apple.com> <20191120034812.GQ34850@straasha.imrryr.org> <5FBFE820-8C53-4B32-9520-343279C1A6CC@apple.com> <20191120064819.GR34850@straasha.imrryr.org>
In-Reply-To: <20191120064819.GR34850@straasha.imrryr.org>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 21 Nov 2019 11:19:36 +0800
Message-ID: <CAPDSy+6DFJ+OYRtYK6eEiUt1noiik4KxqrGFx0ro_RL2Mft_VA@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000077aaf0597d2c5a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/y0Ej2nYErCW2YgrLRxJ7dg-oa7c>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 03:19:52 -0000
Hi folks, I've chatted with Daniel and Chris offline, and I think there might have been some miscommunication here. Please allow me to rephrase what I think is going on, and please let me know if this accurately represents your views. Daniel has a IoT use-case where due to memory constraints, a client knows it can only handle a certain number of tickets, and therefore Daniel was wondering if it would make sense to make the requested number of tickets a required maximum (as in a RFC 2119 MUST). However, server operators on this thread have indicated that a MUST would get in the way of implementing this, due to STEK rotation for example. Daniel understands this, and is OK with the current mindset of the document (which is only a hint, not a MUST). Additionally, Daniel would prefer to see the document move forward. In order to try to address Daniel's comments, I attempted to rephrase the normative section to suggest in more stronger terms that servers really shouldn't be sending more than the client's request, but keeping it a SHOULD. Here is the PR with the rephrase: https://github.com/tlswg/draft-ietf-tls-ticketrequest/pull/10 Here's a copy of the updated paragraph in the PR: Clients can use TicketRequestContents.count to indicate the number of tickets they would prefer to receive. Servers SHOULD NOT send more tickets than TicketRequestContents.count, as clients will most likely discard any additional tickets. Servers SHOULD additionally place a limit on the number of tickets they are willing to send to save resources. Therefore, the number of NewSessionTicket messages sent SHOULD be the minimum of the server's self-imposed limit and TicketRequestContents.count. Regarding Viktor's suggestion, I personally believe it would increase the complexity of the proposal, and I don't see use-cases compelling enough to warrant that complexity. I would rather keep this proposal as simple as possible. Thanks, David On Wed, Nov 20, 2019 at 2:48 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Wed, Nov 20, 2019 at 11:53:08AM +0800, Tommy Pauly wrote: > > > > Somebody should try to avoid ending up with N new tickets after > > > every connection, but in could well be the client. > > > > Yes, I think that can and ought to be the client. The client is really > the > > only party that can know how many tickets have been "consumed" by > potentially > > failed attempts to connect that the server didn't see in time or got > dropped. > > OK, in that case, the proposal, is that on resumption, if the proposed > extension is *absent*, then the server should generally send just one > rather > than any larger default. > > If the extension is present, it is up to the client to not blindly ask for > N > tickets each time, and generally ask for just one ticket on resumption, > once it > has sufficiently many tickets for the desired concurrency level, with each > parallel thread obtaining one replacement ticket its next connection. > > As discussed clients that prefer to reuse tickets, can ask for zero, and > get 1 > only as-needed. If the server supports reuse then all is well. > > If the server does not support and refuses reuse, then it will issue a new > ticket each time and may only accept it once, but the client may have a > single-slot cache. If the client makes only one connection at a time, this > also works, but if/when its handshakes with the server overlap (a narrow > window > of ~1RTT) and two connections attempt to resume with the same ticket, one > of > them will end up doing a full handshake, but only when the client and > server > applications have incompatible ticket reuse expectations. Some friction > when the client and server are mismatched is not the end of the world. > > So on the whole I think the proposal still works with just a numeric signal > (tweaked with 0xff == none and 0 == reuse), and the onus to "generally > send 1" > on resumption moved to the client (i.e. clients that don't solicit ticket > reuse > should request only 1 ticket once they have enough). > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] WGLC for draft-ietf-tls-ticketrequests Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Jeremy Harris
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests David Schinazi
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Watson Ladd
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Nico Williams
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Bill Frantz
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Tommy Pauly
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Ben Schwartz
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Ben Schwartz
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Daniel Migault
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Jeremy Harris
- Re: [TLS] WGLC for draft-ietf-tls-ticketrequests Viktor Dukhovni