Thank you all for you answers. On 30 October 2017 at 15:52, Benjamin Kaduk <bka...@akamai.com> wrote: > On 10/30/2017 04:51 AM, Jānis Čoders wrote: >> Thank you. Ok, I understand that some servers could not allow reuse of >> cookie, but why is it FORBIDDEN by standard? It could be suggested to >> not reuse in general cases, but if I wanted to use TLS 1.3 with my >> custom server, which uses cookies to only prevent spoofing attacks (in >> UDP (DTLS) case). And clients know that they can reuse previous >> cookies for fast handshake, then why would it be prohibited? >> >> > > The standard must ensure that compliant clients interoperate with > compliant servers. Compliant servers are permitted (expected, even, for > DTLS!) to offload state such as the handshake hash into the cookie. A > client that reused a cookie from an old connection on a new connection > to such a server would fail to interoperate, as the server would use the > wrong handshake transcript. Ergo, the spec strictly forbids clients > from implementing this behavior in order to preserve interoperability. > > There is "nothing" to stop some actor from deploying a noncompliant > implementation on their own private network where interoperability with > compliant implementations is not needed, but of course then that actor > must take responsibility for any changes to the security and privacy > properties as a result of those noncompliant modifications. In this > case, for example, the routability proof embedded in the cookie could > become stale with time (in case of readdressing), and the repeated > cookie provides linkability between ClientHellos from the same client > (to an adversary observing at some point in the middle of the network), > for a start. No one could guarantee that there are not more changes to > the security and privacy properties than those already listed, of course. > > -Ben
-- Ar cieņu, Jānis Čoders _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
