On Tue, May 02, 2017 at 05:28:39PM -0700, Colm MacCárthaigh wrote: > This whole problem of needing client-side clocks, and having to obfuscate > an age, goes away if we remove the ticket age entirely. > > Hopefully the security review makes a strong case that the age is fairly > useless from a security point of view. Even with the age, an attacker can > still generate millions to billions of replays. Even with very conservative > numbers, e.g. to just one host, the attacker can still certainly generate > tens of thousands of replays within the permitted window. Better to > require servers to reject duplicates (when used with Zero-RTT), and leave > it at that.
It's hard to disagree with this. The only problem is that the caches needed for server-side replay protection are non-trivial to implement, especially with high concurrency, and even more so for clustered services. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
