It seems that draft-mattsson-tls-psk-ke-dont-dont-dont also deprecates some other stuff. However, it does not seem to deprecate session_ticket (recommended=Y!).
That extension is flawed in multiple ways, and those flaws interact in nasty ways, with end result worse than psk_ke. If psk_ke warrants being marked as recommended=D, then session_ticket definitely also does. If server has session tickets enabled, then STEK is master key to decrypt all TLS 1.2 connections that advertise session_ticket. Furthermore, unless server has explicit checks to limit total session lifetime (which is not the same as ticket age), attacker can roll over tickets to new STEK. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
