Re: [TLS] New "Fast-Track" draft posted

To: ngm+ietf at google.com (Nagendra Modadugu)
Subject: Re: [TLS] New "Fast-Track" draft posted
From: Martin Rex <Martin.Rex at sap.com>
Date: Wed, 29 Apr 2009 03:14:18 +0200 (MEST)
Cc: stefans at exmsft.com, TLS at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <28425e380904281725g75407fcj823bf9e7d83421b3 at mail.gmail.com> from "Nagendra Modadugu" at Apr 28, 9 05:25:20 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Nagendra Modadugu wrote:
> 
> I'm joining the discussion a little bit late.  Is there still time to
> consider 1-RTT version of the full-handshake described in "Fast-Track"
> paper? (i.e. client sends the ClientKeyExchange message speculatively before
> receiving the ServerHello).

To me, this looks more like a flawed assumption rather than a
"speculative action", because it is impossible to recover.

The idea behind the short cuts is that the server can continue
with the full handshake if the shortcut is not available for
whatever reason.  Sending a ClientKeyExchange based on
assumptions what the contents of the ServerHello will be
precludes the Server from making decisions to which it is
entiteled in the original TLS protocol, and the result can
easily be a fatal error, which means that the network communication
channel must be closed and reopened -- a recovery at the
TLS protocol level is impossible.

Having the Client send (protected) application data optimistically
following the Client Finished message without waiting for the
Server Finished seems like an acceptable optimization
if you badly need to cut down the number of round trips.

Such an optimization, however, may have a significant impact
on the semantics of SSL_connect for APIs like that of OpenSSL.

-Martin

Follow-Ups:
- Re: [TLS] New "Fast-Track" draft posted
  - From: Stefan Santesson

References:
- Re: [TLS] New "Fast-Track" draft posted
  - From: Nagendra Modadugu

Prev by Date: Re: [TLS] New "Fast-Track" draft posted
Next by Date: [TLS] Decryption_failed alert in TLS 1.1
Previous by thread: Re: [TLS] New "Fast-Track" draft posted
Next by thread: Re: [TLS] New "Fast-Track" draft posted
Index(es):
- Date
- Thread

Re: [TLS] New "Fast-Track" draft posted

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.