What about the choice of, randomly use any of the tickets but don’t re-use a ticket? I am not sure why using them in a specific order is better or worse. Even if you assign a specific ticket to a reconnect, I would expect that timing of issues might make the server see the tickets out of order so that it needs to deal with the fact that they come in randomly.
Jim From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Eric Rescorla Sent: Saturday, June 04, 2016 8:51 AM To: tls@ietf.org Subject: [TLS] PR #493: Multiple concurrent tickets https://github.com/tlswg/tls13-spec/pull/493 Currently the server can send multiple tickets but we don't say anything about the semantics. So, say a server sends tickets T_1, T_2, T_3... T_n, and the client wants to initiate m < n connections, should he use: - only T_n - T_1...T_m - T_n, T_n-1, ... T_n-m+1 The intuition I have had is that we want the third option (latest wins, but allow multiples for linkability) but the spec doesn't say and there aren't any semantics that tell you, so I think we want some way for the server to say "these group of tickets are all co-valid". I've just created PR#493, which provides an explicit mechanism for this, "ticket generations". Tickets with the same generation M are co-valid and a ticket with generation N expires all tickets with generation M < N. The nice thing about this encoding is that a client can implement the old "one ticket at a time" behavior by just ignoring the generation and taking the last ticket. I wanted to call out to cryptographers/analysts that this formalizes the existing practice (going back to RFC 5077) of having multiple ticket values tied to the same basic secret (though less so with 1.3 because tickets issued on connection N+1 don't have the same RMS as those on connection N). If there is a problem with this, that would be good to know. Barring major objections, I'll merge this Thursday. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
