Re: [TLS] Remove EncryptedExtensions from 0-RTT

2016-06-23 Thread Ilari Liusvaara
On Thu, Jun 23, 2016 at 01:37:14PM +1000, Martin Thomson wrote: > When implementing 0-RTT, an in particular the ticket_age extension, we > discovered that this greatly increases the complexity of the server > state machine. > > David Benjamin rather flippantly described a solution to this problem

Re: [TLS] Simpler backward compatibility rules for 0-RTT

2016-06-23 Thread Watson Ladd
On Tue, Jun 21, 2016 at 8:58 PM, Martin Thomson wrote: > On 22 June 2016 at 12:01, Watson Ladd wrote: >> Why isn't 0-RTT an extension in the Client Hello to deal with this? > > You can't stream extensions, which unfortunately is required given how > most software interacts with their TLS stack.

Re: [TLS] Remove EncryptedExtensions from 0-RTT

2016-06-23 Thread David Benjamin
On Thu, Jun 23, 2016 at 6:35 AM Ilari Liusvaara wrote: > On Thu, Jun 23, 2016 at 01:37:14PM +1000, Martin Thomson wrote: > > When implementing 0-RTT, an in particular the ticket_age extension, we > > discovered that this greatly increases the complexity of the server > > state machine. > > > > Da

Re: [TLS] Remove EncryptedExtensions from 0-RTT

2016-06-23 Thread David Benjamin
On Thu, Jun 23, 2016 at 6:35 AM David Benjamin wrote: > On Thu, Jun 23, 2016 at 6:35 AM Ilari Liusvaara > wrote: > >> On Thu, Jun 23, 2016 at 01:37:14PM +1000, Martin Thomson wrote: >> > When implementing 0-RTT, an in particular the ticket_age extension, we >> > discovered that this greatly incr

Re: [TLS] Simpler backward compatibility rules for 0-RTT

2016-06-23 Thread Ilari Liusvaara
On Thu, Jun 23, 2016 at 07:26:37AM -0700, Watson Ladd wrote: > On Tue, Jun 21, 2016 at 8:58 PM, Martin Thomson > wrote: > > On 22 June 2016 at 12:01, Watson Ladd wrote: > >> Why isn't 0-RTT an extension in the Client Hello to deal with this? > > > > You can't stream extensions, which unfortunatel

Re: [TLS] Remove EncryptedExtensions from 0-RTT

2016-06-23 Thread Martin Thomson
On 24 June 2016 at 01:05, David Benjamin wrote: > I don't think this matters. Just don't reuse tickets. But, if we cared, per > the "dumbest possible thing that might work" school of thought, we can > replace XOR with addition modulo 2^32. Now ticket reuse leaks the delta > between two ClientHello

Re: [TLS] Simpler backward compatibility rules for 0-RTT

2016-06-23 Thread Martin Thomson
On 24 June 2016 at 00:26, Watson Ladd wrote: > If we're > willing to change the interaction pattern to support that, we can > accommodate using 0RTT as an extension by gathering it all and sending > when the handshake happens. That's a very different constraint on the usage. In one, you have to