On Wed, May 3, 2017 at 2:20 PM, Nico Williams <n...@cryptonector.com> wrote:
> It's what Kerberos has been doing for decades. RFC4120 (before that > RFC1510). > I'll take your word for it! > > > Type 2.1 - Ticket intended for 0-RTT, does include the ticket age > (maybe > > > > not in the ticket itself, but somewhere in the handshake), can only > be > > > used > > > > once. > > > > > > No. Give advice. Do not remove these features. > > > > I think the can only be used once for 0-RTT needs to be firm. Otherwise > > 0-RTT mode is insecure. > > I don't agree: the application may not care. > No, it's still insecure ... because it may matter to the application, and worse still the application owner may not even realize that. The existence of some rare environments where one can truly, deeply, understand the idempotency and side-effect problems and fully reason about their implications does not invalidate that. For security, we must assume the worst, not hope for the best. Also: rejecting duplicates is safe in both environments. The main downside is the cost to operators, but I'm not sympathetic to an argument that costs should be cut by pushing significant risk downstream. > > > > > Type 2.2 - Same as 2.1, but required to be smaller than RPSK in > size, to > > > > prevent self-encryption. > > > > > > I don't grok this. > > > > > > > Self-encrypting tickets require STEKs and all of their problems. [...] > > Can you elaborate? (I don't follow TLS WG that closely. I'm from > KITTEN WG.) > Sure ... https://www.ietf.org/mail-archive/web/tls/current/msg23100.html -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
