On Sat, Jul 25, 2015 at 8:53 PM, Dave Garrett <davemgarr...@gmail.com> wrote:
> I'm pretty sure some/all of this was likely mentioned elsewhere, but I > don't see any discussion on-list. (it was mentioned in part of the IETF 93 > recording I watched as this whole topic needing to go to the list, as well) > There's also related TODOs in the draft on this topic. Here's a start to > this discussion. > > Basically, there's two modes with similar use-cases in TLS 1.3 now: 0-RTT > connections using the known configuration extension & PSK-based session > resumption. I don't think their roles are well defined yet. > > 1) There is no 0-RTT resumption. The point of resumption is to get back > into the session quick, but it's arguably slower than not doing it, > currently. > > 0-RTT can do first flight (repeatable) requests: > https://tools.ietf.org/html/draft-ietf-tls-tls13-07#section-6.2.3 > but PSK-based resumption needs 1-RTT: > https://tools.ietf.org/html/draft-ietf-tls-tls13-07#section-6.2.4 We agreed on how to do this in Prague. The sticking point was establishing the cipher suite. I have WIP text on my machine for both of these which I will be sending early next week, once I get enough sleep to be able to clean it up, so I'd ask people to sit tight till then. 2) There's not yet specifics on what cipher suite to use for PSK-based > resumption. The consensus in Prague was that you should have to use a matching symmetric cipher suite. I don't see a point in doing PSK-based resumption with anything other than > plain PSK, with no PFS (no (EC)DHE). If you're willing to do the extra work > for DH, just go straight to normal 0-RTT to get more benefit/flexibility > with a similar amount of work. The goal is really to get forward secrecy on > the session, not necessarily every single connection within it. (not that > it wouldn't be nice) As long as the resumption is within a reasonably short > window (e.g. few minutes), not doing another DH is fine. After this window, > normal 0-RTT should be the preferred route. > I don't think this is correct. The reason is that resumption also resumes the client's authentication state, and client authentication often involves user interaction, which is undesirable from the site's perspective. So, it's actually quite attractive to do resumption with (EC)DHE. It's also significantly faster if you have an RSA certificate. > 3) Just to state the obvious: If a client is going to do PSK resumption > with a non-PFS suite, it needs to offer a non-PFS suite. Even if it's not > really going to be negotiated for anything else, I don't really like the > feel of this. I think it'd also be cleaner if the offered suites didn't > have to change for resumption. One idea would be to rename the groups > extension, again, to "supported_key_shares" and mark point 0 (or some other > if we want to leave 0) as PSK-resumption, specifically. Yeah, we discussed this internally, but I think it's clumsy. I'd rather just offer two separate cipher suites. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
