On Tue, May 02, 2017 at 12:39:06PM -0500, Nico Williams wrote: > On Tue, May 02, 2017 at 01:33:37PM -0400, Viktor Dukhovni wrote: > > > On May 2, 2017, at 10:44 AM, Colm MacCárthaigh <c...@allcosts.net> wrote: > > > https://github.com/tlswg/tls13-spec/issues/1001 > > > > > > I'll summarize the summary: Naturally the focus was on forward > > > secrecy and replay. On forward secrecy the main finding was that > > > it's not necessary to trade off Forward Secrecy and 0-RTT. A > > > single-use session cache can provide it, and with the modification > > > that ekr has created in https://github.com/tlswg/tls13-spec/pull/998 > > > , such a cache works for both pre-auth and post-auth tickets, and it > > > allows clients to build up pools of meaningfully distinct tickets. > > With existing APIs, dealing with "pools of meaningfully distinct > tickets" seems meaningfully non-trivial. > > > > There's also an observation there that it should really be that > > > clients "MUST" use tickets only once. Any re-use likely discloses > > > the obfuscated ticket age, which is intended to be secret. Right now > > > it's a "SHOULD". > > Why should ticket age disclosure be a problem? How does ticket one-time > use not do the same?
Also, let's separate ticket re-use and 0-rtt. The former is generally desirable and workable. The two might not be, but if so one should expect a "SHOULD NOT" or "MUST NOT" to be specifically about the combination of tickets and 0-rtt. Also, the "SHOULD NOT" should have guidance as to when/why one might do it anyways. For many applications the leakage in re-using tickets w/ 0-rtt will be a non-issue. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
