On Sun, Jun 26, 2016 at 05:34:04AM +0000, Subodh Iyengar wrote: > Was there a compelling reason to not just put the ticket age in the > clear in the CHLO field as @davidben alluded to before. It seems to > make it much simpler in general.
Unfortunately, just putting it in plain allows correlating sessions. That's the reason it is XOR'd currently, but the XOR probably will be changed to ADD32 to break correlation-to-parent (which is really nasty privacy-wise) in case of ticket reuse. > With support for multiple tickets the server could issue multiple > tickets at different times to make time correlation more difficult. > The ticket seems to be a more definitive identifier of the user > than the time. There is already support for that. But without fudging the times, correlation is still possible. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
