On Tue, May 02, 2017 at 02:41:34PM -0500, Benjamin Kaduk wrote: > On 05/02/2017 02:31 PM, Nico Williams wrote: > > So, in 1.3, at least with 0-rtt, can we replaced this with a proper > > encryption? > > If you reuse the ticket, the only concrete stated benefit from this > encryption is lost already. What benefit would be gained from using > better encryption for ticket_age_add?
Well, I did say that to me there's not much difference to _me_ between "connections reusing the same ticket can be correlated to each other" and "connections reusing the same ticket can be correlated to each other and the connection whence the ticket". Others might disagree, and if that is reasonable enough then the best thing to do is to encrypt this darned thing. On principle, too, I think one might prefer to encrypt properly just because we really shouldn't be doing this sort of thing. Among other things the lack of integrity protection for this field makes me think that we need to analyze not only passive attacks against it, but active attacks too. It'd be so much easier if we didn't have to. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
