Re: [Unbearable] I-D Action: draft-ietf-tokbind-tls13-0rtt-02.txt

Andrei Popov <> Thu, 29 June 2017 20:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B5274129C1E; Thu, 29 Jun 2017 13:16:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uuwF0t4dGNKN; Thu, 29 Jun 2017 13:16:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 394C3129B25; Thu, 29 Jun 2017 13:16:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dpJYwyJUKpgKfNO0gw+h69Fweyp7Xp8dNbbYIwOSzaA=; b=RGt3W9C8j5i6jnkAo+S4R0MNwzjyEj4lWOXQz9tLl9Z2UrRCWM2IwyyX9p1HqVd30JUXu5xmsCIR/hog51nR85HyRYysg37qvYCmlBZU4md2+Ih1sCm7tIu3boQTqzyiU1NIU6c5RzO1T8xyNBiHg+u2KCmK7+I7wkUVEljAa6Y=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1240.4; Thu, 29 Jun 2017 20:16:33 +0000
Received: from ([fe80::5001:5681:2188:eed6]) by ([fe80::5001:5681:2188:eed6%18]) with mapi id 15.01.1240.007; Thu, 29 Jun 2017 20:16:33 +0000
From: Andrei Popov <>
To: John Bradley <>, Nick Harper <>
CC: IETF Tokbind WG <>, Leif Johansson <>, "" <>, Benjamin Kaduk <>
Thread-Topic: [Unbearable] I-D Action: draft-ietf-tokbind-tls13-0rtt-02.txt
Thread-Index: AQHS8FuyDX/argdPUkWbDRpR6gbRSqI62hqAgABJgQCAAGllgIAAno+AgAAIH4CAABJI8A==
Date: Thu, 29 Jun 2017 20:16:33 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: [2001:4898:80e8:e::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM2PR21MB0090; 7:ixGzebDAeNwaJdJ+h8EzCwcj3nSiHF/EEr9WLVmZWwgl3io/8IL4IwJMl613a6m+PkuuaBP+z1qQ3P4zxX8J3zOmMGYUa7w1NxOFuNXWzvilDrBk9TUZdoR1qN9Jt5tOOKy5cJTV+wvxf0mlUbKFcfQaOxIGQaP1yZRc1WISWFQBGYzWGYuNnZcDamdOBX55RZR1cQRusY/vRHyowVbJH4oRIc+8UyjF4p29xzKPNjcu7VDOYA/ah6n8GeeKffBb0l6KWTNAOmS4yqLlGNtT8ttnMkD21gSxyij9lLN/v8cBZ0E+DuxWssj96VUO3s0RdNy5/gjH+PbsB2ObgtEoMbGU5dry06PfuUesdLNlk8deOnOPhUn1ryJnvFdQabkARtekSBAro/59U8uxBAKhCma3CyT46wCrubejiEcjH+lQCuWnvteLFapi3ZpAhONKmE/B876b2xbG3IpucbvEkoegSNRY+eTFKe3Vmvx4/Qh4sZZv97QAiWsJplMqihx3AV3tMJ7fnA7f+eGXw0u4CwjaWWXKcpohbKVhswLP4tAYoPOtOvU3Mb1Y6nnqL/z3SP5UzAg1pZLz4aMrkgUgurEScQG21wdaxSdZemV/FkLdXdsuPD0OpEgnPll5ADl1n5MoUjLr4CqyGWCld9x6dzZntW3w8nhFNQXtJCLBn7mkL1UaKB0/9Rw33lGFcYBre8AqsD1OxEffLB/2Hw8EIVAmggm48m8OzRFNEkPFj1dSf85QkmRzrGKiVW4SYKAXYUNmNiQbVR2vcUS3KWx8R89NBBb5GVZytjcomnozHEE4xWjghqgjHoPCd4yI1r1Q
x-ms-office365-filtering-correlation-id: fbec9512-7a72-42ec-eb97-08d4bf2bbc93
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM2PR21MB0090;
x-ms-traffictypediagnostic: DM2PR21MB0090:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(151999592597050)(125551606395959)(278178393323532)(26388249023172)(236129657087228)(192374486261705)(211936372134217)(100405760836317)(148574349560750)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(2017060910018)(5005006)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123555025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR21MB0090; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR21MB0090;
x-forefront-prvs: 0353563E2B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39410400002)(39850400002)(39840400002)(39450400003)(39860400002)(24454002)(377424004)(377454003)(2900100001)(8676002)(53936002)(229853002)(6436002)(2906002)(81166006)(8990500004)(38730400002)(2950100002)(25786009)(86612001)(86362001)(8936002)(7696004)(5660300001)(4326008)(10290500003)(7736002)(93886004)(53546010)(74316002)(10090500001)(230783001)(3280700002)(14454004)(9686003)(3660700001)(102836003)(790700001)(54896002)(6116002)(236005)(6306002)(55016002)(99286003)(33656002)(5005710100001)(6246003)(6506006)(5250100002)(76176999)(54356999)(189998001)(478600001)(50986999)(54906002)(72206003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR21MB0090;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR21MB009122B46F7497493AFF953C8CD20DM2PR21MB0091namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2017 20:16:33.2673 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR21MB0090
Archived-At: <>
Subject: Re: [Unbearable] I-D Action: draft-ietf-tokbind-tls13-0rtt-02.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Jun 2017 20:16:38 -0000

  *   A good point,  if the attacks are still possible then supporting 0-RTT is problematic.
  *   On the other hand 0-RTT is a big speed boost for resumed connections.  It is hard to imagine that servers are going to disable it to use token binding over the long term.

There is often a tradeoff between security and performance; some servers may choose 0-RTT based on their business requirements, and others may choose TB. I do not think that it is necessary to reconcile TB and 0-RTT (although it would have been awesome if we could). From my perspective, it is more important to keep TB secure than to make it work with 0-RTT: replayable TB would be a waste of CPU cycles.



From: Unbearable [] On Behalf Of John Bradley
Sent: Thursday, June 29, 2017 12:02 PM
To: Nick Harper <>
Cc: IETF Tokbind WG <>; Leif Johansson <>;; Benjamin Kaduk <>
Subject: Re: [Unbearable] I-D Action: draft-ietf-tokbind-tls13-0rtt-02.txt


On Jun 29, 2017, at 2:33 PM, Nick Harper <<>> wrote:

On Thu, Jun 29, 2017 at 2:05 AM, Leif Johansson <<>> wrote:

On 2017-06-29 04:48, Benjamin Kaduk wrote:

On Wed, Jun 28, 2017 at 03:25:13PM -0700, Nick Harper wrote:

Here's a summary of the changes since the last draft:

- If TB is accepted in 0-RTT data, keep using the early exporter for
the whole connection. There was some discussion on this in Chicago,
with more on the mailing list. Chairs, can you confirm whether we
reached consensus on the mailing list or whether we should take a hum
in Prague?

I am a WG chair, but not a tokbind chair, but that question does not
seem to make sense.  Consensus must be reached (or confirmed) on the
mailing list, so deciding there wasn't enough feedback on the list and
going to an in-room hum seems backwards, procedurally.

Judging consensus is sometimes tricky. I think what Nick meant was that
we may want to do a hum in Prague /in addition to/ seeking confirmation
on the list.

It is unclear to me whether consensus was reached (hence deferring to
the chairs on that judgement). If we don't have consensus, I'm fine
continuing the discussion on list and in Prague. Let me check that I
understand the process properly: first, discuss (on list and possibly
in person), then if the discussion sounds like it's reached a
consensus, optionally hum in person, and then confirm consensus on the
list. Does that sound about right?


- 0-RTT TB cannot be used with externally provisioned PSKs or with a
PSK-only key exchange mode

- A new TLS extension is used for negotiating and indicating use of 0-RTT TB

- The replay indication TLS extension has been removed

Some discussion on the httpbis list brought up that this document should
mandate that 0-RTT token binding is only used in conjunction with
a TLS stack that provides strong anti-replay protections (i.e., zero
additional replays possible and one retransmission via DKG attack).  In other
words, the time-based scheme of (draft-02) section 6.4 should be removed,
and perhaps 6.3.1 reworded somewhat.

I read over the "New Version Notification for
draft-thomson-http-replay-00.txt" thread on the httpbis list. My
understanding of the issue raised on that list is simply that there
are attacks on 0-RTT Token Binding if there isn't a strict global
anti-replay mechanism. There are still attacks possible on 0-RTT Token
Binding even if there is a strict global anti-replay mechanism. I need
to consider what additional attacks are possible without such a
mechanism, and if any of those attacks require less privileges than
the attacks possible with the mechanism.

(It also brought up multiple peoples' sentiments that 0-RTT token binding
is a bad idea in general, but this may not be procedurally the right time
to have that discussion.)


I'm aware that multiple people think that 0-RTT token binding is a bad
idea in general. So far, the impression I've gotten of this sentiment
is "0-RTT Token Binding is not something I have any interest in
implementing". If the sentiment is closer to "0-RTT Token Binding is
such a horrible thing that no one should be implementing it", then
maybe we should discuss that sooner.

A good point,  if the attacks are still possible then supporting 0-RTT is problematic.
On the other hand 0-RTT is a big speed boost for resumed connections.  It is hard to imagine that servers are going to disable it to use token binding over the long term.

I don’t believe the WG has any real consensus on this yet.   The draft spec is helpfull for us to discuss the issues.

I encourage more discussion on the list on the topic of the draft and if this is the correct way to deal with 0-rtt if there are counter opinions.

John B.