Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
Colm MacCárthaigh <colm@allcosts.net> Fri, 25 March 2016 19:41 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2491B12D5EA for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:41:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ew6XLr7lXDZs for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:41:18 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 448C212D1D0 for <tls@ietf.org>; Fri, 25 Mar 2016 12:41:05 -0700 (PDT)
Received: by mail-qk0-x234.google.com with SMTP id o6so38427738qkc.2 for <tls@ietf.org>; Fri, 25 Mar 2016 12:41:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=rv0ZVlVfUC9zwaSJB1KzuVm6yqcQTSG5LNpCZe+JfMQ=; b=xC+2MaXDyDU/0EcmsKJDYoLjrc6y8Ob+dhw2mrGtIXfqUTONDiJc226osQ60F+XxQy 39OTvO4kId/XhAz7Q2E7HdyHxrpuunXs2WW/yWkSGd29bxWWE+3p+TbyzRVGtPWL5Zjc 8vQ+jGrugxxdQ+C0tirlp6PNt8vrd/OJIZ46SAaL7t8uZftY23mFBzIMDdJx3z1JUWjT XfdLfeKRkkoO5bTJBknp7GX4JznaVw0OWimUAWoVGSRmTudYXGog0vLt0KsQWBRFFAvm jSrZIJQNxvdOJXxKWbMv1HXy7pOnPnLlqXHHD1Ic+eEWJcRprEllm6xFryObt4/VzLBv hNBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=rv0ZVlVfUC9zwaSJB1KzuVm6yqcQTSG5LNpCZe+JfMQ=; b=XLB1wSzyJTmInqed7K8aAWEA0XsLM9gsJCuEVrCALjs1N9Z8o9OdpLLJ889G3sDdNN QgtM4mGKPJnNmee+2BWDfVIYwhBPNNyeHffdPl00je+hAxxdTSEf4idqs489NqIl9Lq+ eA8yNiAM6f0EkiQQtWDfnjetD41ZfCRLSUZFm16ZhB3Qmgr7HfwI0pQJt1Et5Xn+SBa5 UOnYCm8a07YdP07ZxbKydtL85Pov3LIAMvomepnC0Gfx+hh9qXJpSZut1OG7ROFYf+HL aE+mOoDNyOnhHa7j3HU0T/9lEFUJWgU2BaU38GaKWT/BvnHmtYKkUvjQGZiV+prQ1j69 BXKA==
X-Gm-Message-State: AD7BkJJ9/pI4zJv7dohXDT8b+kZ/LwstRqidxcMPKPdibCu9JMXZM3Qq/MHjw++xb4j6lM/aNbPa4+/aL8rgaQ==
MIME-Version: 1.0
X-Received: by 10.37.94.138 with SMTP id s132mr8676316ybb.85.1458934864485; Fri, 25 Mar 2016 12:41:04 -0700 (PDT)
Received: by 10.129.88.137 with HTTP; Fri, 25 Mar 2016 12:41:04 -0700 (PDT)
In-Reply-To: <4B85487A-850B-4347-80A7-A3A4D92593E6@inria.fr>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr> <CAAF6GDefiSCnggjgQJT3NG0DJMC2SDJ=r__npg5L6ycicuzpJQ@mail.gmail.com> <4B85487A-850B-4347-80A7-A3A4D92593E6@inria.fr>
Date: Fri, 25 Mar 2016 12:41:04 -0700
Message-ID: <CAAF6GDcW9aP6eYZMLCDBz=XYTOky0r+WiYWnY_Q+GVetojv0AQ@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Content-Type: multipart/alternative; boundary="001a11422e16597157052ee4beb1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ymW-9REQ22D9bicZYaa40becl_s>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 19:41:20 -0000
On Fri, Mar 25, 2016 at 12:02 PM, Karthik Bhargavan < karthikeyan.bhargavan@inria.fr> wrote: > > +1 but I think we can go further here and specify 0RTT in such a way > that it only works when the server maintains state, and so that any given > 0RTT ticket may only be used once (to preserve forward secrecy as much as > possible within the constrains of 0RTT). > > Do you envision clients only having one resumption handshake at a time? I > was under the impression that TLS 1.2 clients typically open multiple > resumption handshakes in parallel, and that TLS 1.3 clients would want to > do the same. > It is common for existing clients to re-use the same ticket for many connections. This is at-odds with forward secrecy though :/ Clients could have many resumption tokens at a time though; e.g. they could ask for 10 and use each one once. It's just that each token is used once. So parallel resumptions could be supported. -- Colm
- [TLS] Cleaning up 0-RTT Signaling (ciphersuites, … Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Bill Cox
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Benjamin Kaduk
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh