When implementing 0-RTT, an in particular the ticket_age extension, we discovered that this greatly increases the complexity of the server state machine. The problem is that the server is making decisions about what to send in the ServerHello based on the content of messages that appear after the ClientHello. Worse, this means that the server is making decisions based on material that is not hashed into the session transcript [1].
David Benjamin rather flippantly described a solution to this problem: XOR the ticket age value with something that is either derived from the old session keys or was included in the NewSessionTicket message. I propose we take David's solution. After all, simple is better: https://github.com/tlswg/tls13-spec/pull/503 To be clear, this means we lose the generality provided by having encrypted extensions in the client's first flight. I can't find a reason to be sad about that; the only other possible use for this was encrypted SNI, but I think we can find better ways to solve that particular problem. [1] This lead to ugly patches like what https://github.com/tlswg/tls13-spec/issues/501 suggests. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
