On Tue, May 02, 2017 at 02:28:37PM -0500, Benjamin Kaduk wrote: > On 05/02/2017 02:20 PM, Nico Williams wrote: > > On Tue, May 02, 2017 at 02:17:17PM -0500, Benjamin Kaduk wrote: > >> [ stuff about 1.2 elided ] > > OK, sure, but why not avoid the problem in the first place in 1.3 by > > sending an encrypted timestamp authenticator (sound familiar?). > > If you mean an actual timestamp, see my previous reply about clock accuracy.
Kerberos deas with that. > If you mean an encrypted relative time, well, that's what it is. The > encryption is incredibly ad hoc, and requires that the key only be used > once, but the whole thing started by thinking of it as a super-janky > encryption scheme. See > https://www.ietf.org/mail-archive/web/tls/current/msg20373.html and nearby. Yeah, it's an XOR with a one-time pad that... gets reused if you reuse the ticket. OF COURSE that fails. Everyone knows not to reuse one-time pads. So, in 1.3, at least with 0-rtt, can we replaced this with a proper encryption? Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
