On Wed 2015-08-12 20:08:28 -0400, David Mazieres wrote:
> Kyle Rose <[email protected]> writes:
>> 4.1: Do you want to add the additional requirement that session IDs be
>> public, i.e., not be secret to endpoints/applications?
>
> This was the intent of the following bullet in section 4.1:
>
> o The session ID MUST NOT contain any confidential data (such as
> data permitting the derivation of session keys).
>
> We didn't use the word "public" because that almost sounds like there's
> a requirement to disclose the session ID. But if the existing wording
> is not clear, we are certainly open for suggestions.
We almost certainly want endpoints/applications to treat the session ID
as sensitive information -- leaked knowledge of the session ID would
allow someone to impersonate the other party if any authentication was
bootstrapped off of the session ID.
The point of the text David highlights above is to ensure that an
endpoint/application can't learn anything about the cryptographic
secrets through the session ID interface -- that is, it defends the
cryptographic layer from breakage by the client. But we shouldn't
encourage clients to break the layer that is accessible to them (the
session ID) by publishing their data either.
--dkg
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
