Hi Martin, can you please explain, why you think this is not the right solution?
To start the discussion, I provide below some insights on why I ended up with this solution. Question 1: Shall the problem be solved by a cross-layer solution or by a TLS-only approach? Arguments for a TLS-only approach: + It is simpler to solve the problem within TLS + TLS resumptions across SNI values are available for every use case of TLS + So far, there does not exist a mechanism in another protocol which can be directly used to indicate feasible session resumptions across SNI values Arguments for a cross-layer solution: + Context information of other protocols such as HTTP and IP can be used to fine-tune resumptions across SNI values Question 2: Shall the TLS resumption group be defined as a separate list provided by the server or cover the entire SAN list of the certificate? Note, that it is a strict requirement that resumptions across SNI values are only conducted if the involved SNI values are valid for the server certificate presented during the initial connection establishment. Arguments for a separate list: + Flexibility, to define the resumption group without some entries of the SAN list Arguments for defining the resumption group as the entire SAN list: + smaller overhead in terms of data traffic + Simpler and hopefully avoids new security errors that implementations allow to conduct session resumptions to illegitimate SNI values Finally, I ended up with a TLS-only approach using the entire SAN list a resumption group. However, I do not claim that the provided lists of arguments are complete and would like to encourage you to contribute to this list. Thanks, Erik On 4/13/19 06:10, Martin Thomson wrote: > I like the basic idea, but I don't think that this is the right solution. I > realize that we can adopt and fix, but I my preference is to have a little > more time to discuss solutions before we adopt anything. > > On Sat, Apr 13, 2019, at 09:35, Christopher Wood wrote: >> At TLS@IETF104, there was interest in the room to adopt >> draft-sy-tls-resumption-group as a WG item. The draft can be found here: >> >> https://datatracker.ietf.org/doc/draft-sy-tls-resumption-group/ >> >> This email starts the call for adoption. It will run until April 26, >> 2019. Please indicate whether or not you would like to see this draft >> adopted. >> >> Thanks, >> Chris, Joe, and Sean >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
