On Tue, Feb 23, 2016 at 09:42:17AM -0800, Nick Sullivan wrote:
> Draft 11 currently supports both ServerConfiguration and PSK + Session
> Ticket for session resumption (0RTT or otherwise). Both mechanisms have the
> same properties in terms of forward secrecy: a compromise of the server's
> private data (whether PSK, session ticket key, or DH exponent) lets an
> attacker retroactively decrypt data from all sessions established with the
> PSK or Session Ticket. However, both mechanisms contain different language
> around how the lifetimes of the resumption data is managed.
>
> After some discussion with Facebook and others, I'd like to suggest a
> change in the wording of the draft to make the Session Ticket lifetime more
> closely resemble the lifetime of the ServerConfiguration.
IMHO the analogy between ServerConfiguration and SessionTicket is
a flawed one. ServerConfiguration is created by the server
unilaterally, at some time before the client connection and is not
session-specific. The client has no implicit knowledge of the
ServerConfiguration age.
The situation is completely different with SessionTicket, which is
created as a side-effect of the *current* handshake, and is always
fresh when created. A SessionTicket lifetime hint that is a relative
time is therefore quite sufficient and avoids clock synchronization
and epoch time wrap-around problems.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
