Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Viktor Dukhovni <> Tue, 21 January 2020 22:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9366A12006F for <>; Tue, 21 Jan 2020 14:46:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VWf35NQ1maBr for <>; Tue, 21 Jan 2020 14:46:12 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7C6AA12002E for <>; Tue, 21 Jan 2020 14:46:11 -0800 (PST)
Received: by (Postfix, from userid 1001) id BE10449A6F; Tue, 21 Jan 2020 17:46:10 -0500 (EST)
Date: Tue, 21 Jan 2020 17:46:10 -0500
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Jan 2020 22:46:15 -0000

On Tue, Jan 21, 2020 at 01:17:59PM -0800, Eric Rescorla wrote:

> I would make several points here:
> 1. RFC 8446 explicitly discourages ticket reuse
>    ( so we
>    should not be designing an extension to enable reuse. While it's
>    potentially true that some applications do not benefit from
>    non-reuse, creating a set of mechanisms around reuse risks those
>    mechanisms being used in settings where reuse would be
>    bad. Moreover. just because at present sending MTAs have weak
>    privacy properties does not mean that we should bake in this
>    situation permanently.

Indeed I agree that ticket reuse is often undesirable, and expect that
it will be avoided in many cases.  So I am somewhat sympathetic to the
above as a starting point for the analysis.

That said, I don't see that making reuse easier to negotiate is likely
to create significant opportunities for misuse.

    - Both the client *and* the server would need to opt-in to reuse.

      * Even if the client asks for reuse, the server can invalidate
        the old ticket (something it would need to be able to do
        already to ensure non-reuse) and send a fresh one anyway.

        The client would have to replace the old with the new, since
        it has to assume that the old is now likely invalid.

      * Even if the server is willing to reuse, if the client asks
        for a new ticket, the server has to assume the client has
        a single-use cache, and should vend a new ticket.

      so it takes bilateral coordination to arrive at reuse, and
      so accidental reuse in applications where it is inappropriate
      requires errors on both ends.

> 2. The additional cost of multiple tickets seems extraordinarily
>    small, so I am not at all persuaded that there is enough value in
>    this use case to justify adding new protocol machinery, even
>    ignoring point (1) above.

Postfix has a shared cache (indexed by destination domain+mx host) for
multiple independent processes racing to use the cache to make remote
SMTP connections.

Frequent writes to that cache create measurable overhead and still don't
prevent reuse.  Transmission of unnecessary tickets is also wasteful of
network and other server resources.

Erasing tickets on first use would be unwise, most existing servers will
not presently return a fresh ticket on resumption.

> 3. If there *is* such value, then you can register your own extension
>    which allows you to say the orthogonal thing, namely "don't send me
>    any tickets at all if you are resuming". This would be more
>    flexible in that you could then say "I would like 10 tickets, but
>    only if you don't resume". Note that
> would
>    allow you to do this efficiently.

This is an interesting idea, but how would the two extensions interact?
And wouldn't that interaction add more complexity?  By hypothesis
clients that are willing to reuse tickets don't really need more than
one at a time.  Is there a clear use case for multiple concurrent
reusable tickets.

> Thus, I would prefer to advance this document as-is.

Thanks for the substantive response.  Much appreciated.  I hope you're
willing to address the above reaction, I am trying to find common
ground that addresses your concerns and mine.