On 15 March 2016 at 13:22, Bill Cox <waywardg...@google.com> wrote: > In TLS 1.3, tickets are sent after the full handshake completes, after > encryption is enabled for the connection. Now, if an attacker has the > ticket encryption key, it is not possible to decrypt old connections. Is > that right? It looks to me like tickets have real PFS in TLS 1.3.
It's the properties of the session that matter here, not the tickets. The tickets are sent in the clear in the resumed handshake. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
