On Sun, Mar 01, 2020 at 10:39:07PM -0800, Rob Sayre wrote:
> > Agreed, and strongly so with the last sentence.
>
> None of these messages have addressed the chairs' suggestion:
>
> "Consider adoption of an individual draft that describes an extension for
> hinting ticket reuse. This draft will also discuss the use cases around
> ticket reuse."
>
> What's wrong with this suggestion? Is the concern that it won't be adopted?
PR#18 isn't exclusively or primarly about reuse. Rather it addresses a
gap in the design which fails to address the difference in required
tickets between resumptions and full handshakes.
A client should generally (connection racing aside) ask for just one
ticket when attempting resumption, but will need more than one if
instead a full handshake results.
But on the reuse side, it would be exceedingly cumbersome to have two
separate extensions for negotiating the requested ticket count. We
should just resolve the issue now:
- Does TLS 1.3 support ticket reuse in applications that can't
take advantage of and don't need the privacy advantages of
single-use tickets?
- If so, they should be able to negotiate ticket reuse, and
this extension is precisely the right vehicle for that.
Let's not be in the habit of ducking issues that need to be
addressed.
That said, the dula counters could be defined now without reuse defined,
and a separate draft *could* do that part later, without changing the
structure, or introducing a second extension. But kicking the can down
the road would IMHO be very sad. Surely we can do better than that.
Instead of endlessly debating whether to decide now or later, let's
just decide one way or other:
* Is the ticket-non-reuse traffic-analysis counter-measure
mandatory for all TLS clients?
- Even though its protection can't ultimately be reliable,
there are more side-channels linking clients in traffic
flows than just the ticket.
- Even though some clients can't possibly benefit because
they're by design the sole clients at their IP address,
may be on private networks, in industrial settings, ...
I hope the answer is that ticket non-reuse is not mandatory,
but if it is, at least we'll have a decision.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
