Gary said: > I'm perfectly happy with that, just not to the exclusion of other ways to > interpret the Proposed RFC.
I don't understand that. How many ways to interpret it are there? Page 18 says: To protect the client's privacy, the client SHOULD avoid reusing a cookie. If the client does not have any cookies that it has not already sent, it SHOULD initiate a re-run the NTS-KE protocol. The client MAY reuse cookies in order to prioritize resilience over unlinkability. Which of the two that should be prioritized in any particular case is dependent on the application and the user's preference. Section 10.1 describes the privacy considerations of this in further detail. I'm not a language lawyer, but that seems clear to me. It doesn't say you can use a single cookie to simplify your code. It says it's OK to reuse cookies if you have run out and you have decided that trying for a NTP exchange is more important than getting tracked. This whole discussion is a waste of time. If we had code that did everything else but reused a cookie it got from the NTS-KE step, I could fix it to use new cookies in an evening. (Maybe weekend, I'm crappy about time estimates.) -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
