IETF Logo Mail Archive

Re: [TLS] #445: Enhanced New Session Ticket

Eric Rescorla <ekr@rtfm.com> Thu, 28 April 2016 21:21 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08A8C12D9F4 for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 14:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kroMSTYNvl8w for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 14:21:52 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C414A12D9F1 for <tls@ietf.org>; Thu, 28 Apr 2016 14:21:51 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id g133so128986553ywb.2 for <tls@ietf.org>; Thu, 28 Apr 2016 14:21:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QL59JnFpPiwV7jTW2Z7c101W8vn8Z6lrlMFD7yrWG2o=; b=A5TdIeO81MN4/gS8KcVkWDFwDXu901/FFUphi2LTojrFkUs+JLHCstDBTe/N6swzbf 6QWRdeAX9BV64C2D5SiL/OhSQ4vVrwRN9VY4IsMqiFb+XEkFDSaIOvqg13RV6XbfVPiY jeQSEF1JMLU1uiY4rq8SjbeTasxvsacHWlLPuzO4Q1vazGSsFh+6z7SAjCbV0pndirjF zF5x1/RipuX5xGNkF8m0AoF8Vi+GlTS5M3O+QNiuJjh0SQ7hq1hiuO0RPezhLm+W66H6 ocxkqNgV/aqhW8XnRp7LntMrKAzCnOSzJzEpr+1FT8qWY28WZ+jRH4XoHcnsZViU7Ggv IfvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QL59JnFpPiwV7jTW2Z7c101W8vn8Z6lrlMFD7yrWG2o=; b=AAJ86CewQ6UCHHV0OTnnzBN1zboI3h9BqOxSGo+R8w1PJoceLiT6bFqv/jPerxhlgG Y/MDb/MKycNHs4xEP7Srp2x0REIqm3Fhoj6dusu9YRIVKaV3tbvzQ+CEfc7ns3qgyln1 rL1mR+rGx6qyWuRFuKSKQL5BXYeffrXnoTMkax+UEU2hHWcnQSTh9GzxL+TZF3AJV/nQ uXFpkABCTR1iUVINOa3m44rm0wYSPrh83NsxDZfIsdug32pfu1Vd2Cv23+gQ6Fg8C5Yp F+PZaOF5a4qAcZDwWtMHdzZEu26CqjsArT7Ny8/iEcldjFmyZ4fP4RnzJLNPQi4fJu9z TGqw==
X-Gm-Message-State: AOPr4FXDC4mpx2ZI+kr+mME1db1ddgJJWj81s158IDYetCGSX5KA7maPjO+I3GXUoi70rpSXRQOr58Kqfs6cnQ==
X-Received: by 10.37.80.146 with SMTP id e140mr4748524ybb.162.1461878511090; Thu, 28 Apr 2016 14:21:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Thu, 28 Apr 2016 14:21:11 -0700 (PDT)
In-Reply-To: <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 28 Apr 2016 14:21:11 -0700
Message-ID: <CABcZeBOzp3WsGuEgcDJtm5ZYNXBQ68Ser+nueWJphj+cPyb2Ew@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a113ea0605bf2130531921dcf"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/yoMJ-z-5gps-l_0v0W2iaenqWfU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 21:21:54 -0000

On Thu, Apr 28, 2016 at 1:43 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> On Thu, Apr 28, 2016 at 12:32 PM, Ilari Liusvaara <
> ilariliusvaara@welho.com> wrote:
>
>> Some comments:
>>
>
> Please note: this PR is still a WIP. I'll be updating it in a bit...
>
>
>
>> - I presume 0-RTT used in retried ClientHello uses (and for the verify
>>   mechanism to work, that needs to be allowed!) uses ClientHello1...
>>   ClientHello2 as its base hash?
>>
>
> I don't think I understand what you are asking. Can you rephrase.
>
>
>
>> - Is that 0-RTT Finished message needed? It is the only 0-RTT handshake
>>   message...
>>
>
> I think so it's a proof that the client knows the key. Also, per the
> discussion in
> Buenos-Aires we expect to be adding
>
>
>
>> - Server can send CertificateRequest in GDHE-PSK or PSK mode???
>>
>
> Is there a reason that's undesirable? Note that it can always do
> post-handshake
> authentication, so we need to ensure that this is secure. My understanding
> is
> that because it covers the server's Finished, it therefore builds in the
> PSK
> value (per the analyis from Scott et al.). Do you have a concern with this.
>
>
> - What are 'etc' for parameters for 0-RTT data? Use the present
>>   extension list here and have any future extensions that matter here
>>   explicitly define their interaction.
>>
>
> The list is an example. The operative word is "all".
>
> - The requirement for server to validate its extensions... Hopefully
>>   there is no security reason for that... I really don't see it being
>>   implemented correctly (and the description looks completely screwy[1]).
>>
>
> This is an important requirement. For instance, you need the same ALPN
> value.
>
>
>
>> - 1 RTT server context presumably ends in CertificateRequest, not
>>   CertificateVerify (the Certificate and CertificateVerify are
>>   impiled).
>>
>
> I'm not sure which section of the draft you're referring too here.
>

Ah, right, I got confused about sections. Thanks.


>
>
> - You might want flag for if server promises replay protection or
>>   not in NST.
>>
>
> We discussed this in BE and the consensus was that it was not clear how
> the server implemented this and so it was unwise to promise it.
>
>
>
>> - You might want to specify that allow_dhe_resumption doesn't
>>   change key exchange, only authentication (so DHE_CERT becomes
>>   DHE_PSK and ECDHE_CERT becomes ECDHE_PSK).
>
>
> I'm not sure I follow. It changes key exchange. If we want to have
> a resumption mode that has the server sign, we'll need a different
> indicator here.
>
>
> [1] There are many extensions that are not relevant because those
>> control server authentication (e.g. status_request, status_request_v2,
>> signed_certificate_timestamp, server_certificate_type). And some that
>> are low-level connection control (e.g. max_fragment_length)
>
>
> Yes, I am being conservative here because false positives don't seem like
> they will happen a lot.
>
>
> ALPN is special here tho: It needs to match the impiled 0-RTT ALPN
>> (does one want that extension in 0-RTT case anyway?).
>>
>
> Yes, you absolutely need ALPN for early data.
>
> -Ekr
>
>
>>
>> -Ilari
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>

v2.23.0 | Report a Bug | By Email