David Mazieres <[email protected]> writes: > * Specs should assume the session ID will be made public and ensure > that it contains no confidential data (such as data permitting the > derivation of session keys). > > * However, unless the application at either end of a connection > takes steps to disclose the session ID, specs should ensure that a > network eavesdropper has a negligible advantage in differentiating > the collision-resistant hash in a session ID from uniform random > bytes.
Just wordsmithing a bit, I now propose: * Unless and until applications disclose information about the session ID, all but the first byte MUST be computationally indistinguishable from random bytes to a network eavesdropper. * Applications MAY chose to make session IDs public. Therefore, specs MUST NOT place any confidential data in the session ID (such as data permitting the derivation of session keys). David _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
