On Tue, May 2, 2017 at 11:31 AM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > > On May 2, 2017, at 2:15 PM, Colm MacCárthaigh <c...@allcosts.net> wrote: > > > > In that case, I only reason I see to stop using tickets multiple times > is to protect > > the obfuscated age. It reads to me like its purpose would just be > defeated. Is it > > really that hard for clients to use a 1-for-1 use-a-ticket-get-a-ticket > approach? > > Yes, it is difficult to do 1-for-1. In postfix there are parallel client > processes > reading a shared session cache, and parallel writers updating that cache, > and without > major changes to the code, when two writers update the cache back to back > only one > ticket (really SSL_SESSION object) is saved. Under load, many clients > would not > find a ticket at all. > That makes sense to me. Thanks for the detail. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
