Text on session resumption #3566
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In looking at #3028, I realized that we had nowhere that addressed the basic concept of resumption. This is, I hope, all that we need to say on the subject. It talks about state and then the privacy implications of using resumption. I found less in the TLS 1.3 RFC on this subject than I might have liked to see. It only really addressed ticket reuse. So this is a little more verbose than is ideal. Closes #3028.
martinthomson
added
editorial
huitema
reviewed
Apr 8, 2020
| Client SHOULD NOT reuse tickets as that allows entities other than the server | ||
| to correlate connection; see Section C.4 of {{!TLS13}}. | ||
|
|
||
|
|
There was a problem hiding this comment.
Looks good. Simple and to the point. My only reservation is about the security section. Session resumption allows tracking by the server, and this is arguably a security issue. The text here properly describes the concern and the remediation, but I wonder whether should there be a mention of these potential privacy issues in the security section.
ianswett
approved these changes
Apr 8, 2020
marten-seemann
approved these changes
Apr 9, 2020
MikeBishop
approved these changes
Apr 9, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In looking at #3028, I realized that we had nowhere that addressed the basic concept of resumption. This is, I hope, all that we need to say on the subject. It talks about state and then the privacy implications of using resumption.
I found less in the TLS 1.3 RFC on this subject than I might have liked to see. It only really addressed ticket reuse. So this is a little more verbose than is ideal.
Oh, and there are new requirements here, but as they are restatements of existing requirements, I don't think that this needs to be a design change. But I will happily switch to treating this as a design issue if anyone asks.
Closes #3028.