Transport Layer Security (TLS) False Start
draft-ietf-tls-falsestart-02

[Ballot comment]
For Stephen, yes, I noticed :-)

In support of Kathleen's comment and based on the shepherd's write-up, why is this experimental and what is
the experiment?

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-tls-falsestart-01.txt, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any IANA actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, IANA does not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: "Sean Turner" , draft-ietf-tls-falsestart@ietf.org, tls@ietf.org, stephen.farrell@cs.tcd.ie, sean@sn3rd.com, tls-chairs@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Transport Layer Security (TLS) False Start) to Experimental RFC


The IESG has received a request from the Transport Layer Security WG
(tls) to consider the following document:
- 'Transport Layer Security (TLS) False Start'
  as Experimental RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-04-20. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document specifies an optional behavior of TLS client
  implementations, dubbed False Start.  It affects only protocol
  timing, not on-the-wire protocol data, and can be implemented
  unilaterally.  A TLS False Start reduces handshake latency to one
  round trip.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-tls-falsestart/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-tls-falsestart/ballot/


No IPR declarations have been submitted directly on this I-D.

The reference to RFC2616 should probably be updated to 7230.

1. Summary

"False Start” was an attempt to reduce the latency impact of HTTPS based on the simple premise that the client send application data earlier in the handshake; to be precise clients send application data before they have received and verified the server's "Finished” message.  Initial measurements showed a 30% reduction in latency [0] I could paraphrase more of s2, but the authors explained the timing and the implications at the end of s2.

Note that this “experiment” was supported by Chrome, FF, IE, OpenSSL, NSS, and others. Some additional details:

- Chrome 20 disable it except for sites that enabled NPN.

- Firefox has (or at some point had) an NPN requirement to enable False Start.

- Safari as an additional example without the NPN requirement:
http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslTransport.c

- While there were patches to enable False Start with OpenSSL, it's not clear it was ever part of an official release. 

As far as where you should point your fingers:
- Sean Turner is the document shepherd, and;
- Stephen Farrell is the responsible Area Director.

2. Review and Consensus

There wasn’t a whole lot of discussion, primarily because "False Start” the implementation issues were worked out by the browsers and the WG didn’t adopt this draft until long after (Nov-2014).  The draft was adopted because it documents existing practices and provides security considerations [0]; the comments in the WG adoption thread were incorporated in the -01 WG version.  The WG’s deliberations resulted in a number of changes that more accurately reflect deployments (i.e., dropping server-side False Start) as well as restricting its use to pre-TLS1.3 (see s5.2) and cipher suites (see s5.3).

One reviewer wanted all (FF-)DHE cipher suites removed because they believe that the downgrade protections defined in [1] are in adequate. To solve address this issue, the “False Start” draft requires whitelists as well as large groups/curves.

[0] https://mailarchive.ietf.org/arch/msg/tls/RLklpxmZ3BQRBIqWgfeUcCLhgx0
[1] https://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-ff-dhe/

3. Intellectual Property

All disclosed as confirmed by the authors on 20160302.

4. Other Points:

There are no IANA considerations for this draft.