The server shouldn't use a token for much #1647
Labels
-transport
design
An issue that affects the design of the protocol; resolution requires consensus.
has-consensus
An issue that the Chairs have determined has consensus, by canvassing the mailing list.
Comments
martinthomson
added
design
|
If adding such advice, please be specific about encryption is not authentication. Although QUIC implementers would or should now, it could easily be missed by infrastructure operators. Merely stating AEAD or MAC can easily be misread as golang.encrypt(x) should be fine. |
martinthomson
added a commit
that referenced
this issue
Aug 27, 2018
We can't realistically authenticate all tokens with up to three Retry packets and the NEW_TOKEN message. So they aren't really safe for much. Describe the limitations and advise a very narrow usage. I really hope that this choice doesn't bite us later. It doesn't feel that good, but I don't know how to fix this without going back to just one Retry (and even then a solution would be ugly). Closes #1647.
Merged
mnot
added
the
has-consensus
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The token that a server provides in Retry or NEW_TOKEN isn't authenticated. It can be used multiple times and it isn't folded into the handshake. This is an explicit limitation of the design. Neither client nor server can therefore rely on its contents for much. A server can ensure that the token is self-authenticating (by including a MAC or self encrypting it with an AEAD, for instance), but it shouldn't really use the information beyond its immediate purpose: address validation.
The text was updated successfully, but these errors were encountered: