On Tue, May 02, 2017 at 10:48:29AM -0700, Colm MacCárthaigh wrote: > On Tue, May 2, 2017 at 10:39 AM, Nico Williams <n...@cryptonector.com> > wrote: > > With existing APIs, dealing with "pools of meaningfully distinct > > tickets" seems meaningfully non-trivial. > > I would actually prefer if the client could request N tickets, but was > advised that this was too large a change to the protocol. > > > > There's also an observation there that it should really be that > > > > clients "MUST" use tickets only once. Any re-use likely discloses > > > > the obfuscated ticket age, which is intended to be secret. Right now > > > > it's a "SHOULD". > > > > Why should ticket age disclosure be a problem? How does ticket one-time > > use not do the same? > > > > The draft writes that it is to prevent connection correlation attacks.
I would think that the ticket itself is enough for that when using 0-rtt. I.e., if you don't want connection correlation to be possible, you can't use 0-rtt. The age business (which I hadn't looked into before) seems incidental. (Also, one would think that the client would send a timestamp in an authenticator... You know, a lot like what Kerberos does.) Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
