Yes, I think this would be good text. PR wanted :) -Ekr
On Thu, May 19, 2016 at 11:19 AM, Kyle Rose <kr...@krose.org> wrote: > Regarding the ability for passive observers' tracking of clients > across connections (and potentially across IPs) via a session ticket > used more than once, should there be any language around recommended > practice here, especially for clients? > > An appropriately-configured server can help the client avoid this > problem without performance penalty by issuing a new session ticket on > every connection (for non-overlapping handshakes) and/or multiple on > one (to cover that gap), and a client can help by keeping only the > most recent ticket for a particular session and/or using a given > ticket only once. > > Thoughts on adding language under "Implementation Notes" such as: > > "Clients concerned with privacy against tracking by passive observers > SHOULD use a PSK/session ticket at most once. Servers SHOULD issue > more than one session ticket per handshake, or issue a new session > ticket on every resumption handshake, to assist in the privacy of the > client while maintaining the performance advantage of session > resumption." > > For pure PSK I assume tracking is less of an issue, but I'm happy to > entertain thoughts there, as well. > > Kyle > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls