The combination of DHE and TLS 1.3 session resumption via session tickets, can destroy the forward secrecy property that DHE was intended to provide. With the proposed removal of DHE-based 0-RTT from TLS 1.3, session resumption is the mechanism by which 0-RTT connections are established. When adopted into QUIC, this will then be a reduction in security as compared with the current QUIC Crypto protocol, which rapidly steps all connections up to having forward secrecy immediately after a 0-RTT connection.
The 0-RTT connection is extremely desirable for use in QUIC, because of the impact on connection latency, a known critical issues in all HTTP(S) content acquisition. Currently, at least 75% of all QUIC connections use 0-RTT, and then enjoy forward secrecy for the bulk of their communications. I would like TLS 1.3 to provide similar forward-secrecy guarantees after a 0-RTT connection. If a symmetric-session-ticket-decryption-key was compromised by a server, as a result of a break-in, or a subpoena, then all traffic that depended on the session resumption tickets would be at risk. Moreover, a third party attacker that possessed such a key, or planned to acquire a copy, could "encourage" traffic to use session resumption by disrupting any connection. A common use case involves having a large number of servers that must all be equally able to resume a connection. As a result, encrypted session tickets, protected by a server's symmetric secret key, are generally the preferred mechanism for resumption. Thanks for you consideration, Jim Roskind
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
