IETF Logo Mail Archive

Re: [TLS] Adoption call for draft-sy-tls-resumption-group

"Martin Thomson" <mt@lowentropy.net> Wed, 24 April 2019 07:36 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EBDC1200F6 for <tls@ietfa.amsl.com>; Wed, 24 Apr 2019 00:36:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=ysJ/ThvD; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=V0Mq42kS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cBzZrUM8kmSb for <tls@ietfa.amsl.com>; Wed, 24 Apr 2019 00:36:46 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DE8A12006F for <tls@ietf.org>; Wed, 24 Apr 2019 00:36:46 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A67E2220FD; Wed, 24 Apr 2019 03:36:45 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Wed, 24 Apr 2019 03:36:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=kMYrjAbnM4CToD3o27n57D05kwGqwTj aSPsnKjrgUdw=; b=ysJ/ThvD3Sj5G2vzXltS21JW4xXn7YOME2ZvytsLeHTpDl/ 8fGusH0mKWwMZcHstp0LORLbYoyxc8/aBnhSET+DHxeba+dh4inT1Q4R5QMgmIen ZPWY1ILxqaNkmPcqbAMzpI6b/dehh6lk/26p1SuwIRrUXypjcooWc5CVnG4GFHgG 1XjrtmjsgFoAvU7GBHqiLptHyY1iygq/lOtCSer2XOn0mzgz2dkFnvLCr1kiLtb2 n65zh/QvvgaolHv74WK43KJ3ZnYOPMblgZQunQR3dDDRsmKlSe2ZtISNSD2ygswO sckNyicb2vbSTHW+cCjn4wrmwAYJxA4Jqz+7jAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=kMYrjA bnM4CToD3o27n57D05kwGqwTjaSPsnKjrgUdw=; b=V0Mq42kS+PDD9bk4MwW7X2 aV0/+TKcuO4Ncsztb4o/yVWQuFVN04A0avmWb2xLeHFQx2B2RsJow0TErunPEjb1 vh3s06mBv0Fw/aYK174Fux7anzaiUNW6ugaskMy535hVdZWdWHOSl+cD3J3z4jOS xgmkfKyYfNbSqQiJHPY2NcVghS/AKzQtb2PPfeOIRbiqg+8ygWd8wlfV3jb0ecjB /9rPeGoNf41s5BB0jOWypLqkadiinhck1Xv2f4gVvxmdYAVITGZ7XLkrUxURdSko xAg8wc2Xc8jHOCqVlq92Myge3IAkuqNqh2x/jXTvXhPCxaxH8QDDj8cjWDcNzTRQ ==
X-ME-Sender: <xms:DBLAXL1y6ODD73-WkRp2ez_6ZCl1SZSHq4ibcKl5K0eezFtv9g2uUw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrgeelgdduvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehloh ifvghnthhrohhphidrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:DRLAXOWdb-flKFS83556oDwISLVkRG4uk9Aeqnhu2t5HexXjOCug-w> <xmx:DRLAXG7lKLnGprF5CTM-TrPVKUOwMCrfHmxbaPMPgih_kDrmB4yR9A> <xmx:DRLAXFKN8YiKDRRx-QTLLaqNqOBNFAaPxSHLRBmbrcj9X1dGcbvjLg> <xmx:DRLAXDBLMDfe6L66uYdbIWGpwW3TsE0qel2q8GdXHR3LWDH8Iw4oGQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id C936F7C199; Wed, 24 Apr 2019 03:36:44 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-444-g755619f-fmstable-20190423v1
Mime-Version: 1.0
Message-Id: <47a2773b-8943-4fc0-a024-d8c81a3dc627@www.fastmail.com>
In-Reply-To: <2e691b63-2108-2d25-4b2d-7c56ce79d583@informatik.uni-hamburg.de>
References: <4f21da8a-a30c-4255-9400-aab3a599fb9b@www.fastmail.com> <9ae5725b-c0a7-4602-bd0a-da04509db62a@www.fastmail.com> <2e691b63-2108-2d25-4b2d-7c56ce79d583@informatik.uni-hamburg.de>
Date: Wed, 24 Apr 2019 03:36:45 -0400
From: Martin Thomson <mt@lowentropy.net>
To: Erik Sy <sy@informatik.uni-hamburg.de>, tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zyTSrl6NLD8WL3qkAWmxDQIQq8g>
Subject: Re: [TLS] Adoption call for draft-sy-tls-resumption-group
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 07:36:48 -0000

On Tue, Apr 16, 2019, at 18:36, Erik Sy wrote:
> Hi Martin,
> 
> can you please explain, why you think this is not the right solution?

To recap, the draft proposes an empty extension in ClientHello, which the server, at its discretion, includes in Certificate.

There are two insights that are important here:

1. The client could, if it chose, send any session ticket from any server to any other server[1].  The reasons for not doing that are primarily linkability: by using a session ticket it links the connection where it is used with the connection where it was acquired.

2. The linkability thing means that clients can't reuse session tickets because that changes the set of entities that can link sessions from (issuer+consumer) to (issuer+consumer+network path).  This is what leads us to strongly recommend using tickets at most once.

The second observation is what drives the signal.  We want to have a signal so that the client can make the resumption attempt without wasting the ticket on a server that simply cannot use it.

I think that the signal could be attached to NewSessionTicket instead:

   The server MAY also send unsolicited extensions
   in the NewSessionTicket, though the client does not respond directly
   to these.

[1] What it means to resume with a completely different server identity, where the client has seen no previous authentication, is a separable question.  And I don't think that the current draft goes far enough to address this complex question.  It currently says:

   This resumption group is formed of all SNI values
   that are valid for the presented server certificate.

That is convenient and probably ultimately a good baseline for this, but it doesn't capture some of the things we learned about the scope of server authority out of HTTP/2 and the ensuing work.  I think that this needs to transition - at least conceptually - into the application layer and rely on the client's understanding of what identities the server holds.  

I'm OK with adoption without addressing that concern, but it does need to be addressed.

Finally, there is some text in the draft that I think needs to be removed.  For example, the normative text on cache lifetime here:

   According to [RFC8446], clients MUST NOT cache tickets longer than
   seven days.

   Note, that TLS resumption enables a server to link resumed
   connections to the same client.  A study on the feasibility of this
   tracking mechanism can be found in [TRAC].  To protect the client's
   privacy against tracking via this mechanism, it is RECOMMENDED to
   cache resumption tickets only for ten minutes.

...or this:

   To optimize the performance benefit of this extension, the server's
   certificate is RECOMMENDED to only include SNI values that mutually
   support the resumption of their TLS connections. 

There's enough there that I think that another iteration would be wise before adoption, that's all.

v2.23.0 | Report a Bug | By Email