On Mon, Mar 14, 2016 at 7:25 PM, Martin Thomson <martin.thom...@gmail.com> wrote:
> On 15 March 2016 at 13:22, Bill Cox <waywardg...@google.com> wrote: > > In TLS 1.3, tickets are sent after the full handshake completes, after > > encryption is enabled for the connection. Now, if an attacker has the > > ticket encryption key, it is not possible to decrypt old connections. Is > > that right? It looks to me like tickets have real PFS in TLS 1.3. > > > It's the properties of the session that matter here, not the tickets. > > The tickets are sent in the clear in the resumed handshake. > Right. As far as I can tell, that's required. TLS 1.3 PFS *is* much better with respect to tickets because the ticket established in connection N cannot be used to decrypt that connection. In addition, because you can do PSK-ECDHE, you can confine the PFS risk to the 0-RTT data. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
