Was there a compelling reason to not just put the ticket age in the clear in the CHLO field as @davidben alluded to before. It seems to make it much simpler in general.
With support for multiple tickets the server could issue multiple tickets at different times to make time correlation more difficult. The ticket seems to be a more definitive identifier of the user than the time. Subodh ________________________________________ From: TLS [[email protected]] on behalf of Martin Thomson [[email protected]] Sent: Thursday, June 23, 2016 1:59 PM To: David Benjamin Cc: [email protected] Subject: Re: [TLS] Remove EncryptedExtensions from 0-RTT On 24 June 2016 at 01:05, David Benjamin <[email protected]> wrote: > I don't think this matters. Just don't reuse tickets. But, if we cared, per > the "dumbest possible thing that might work" school of thought, we can > replace XOR with addition modulo 2^32. Now ticket reuse leaks the delta > between two ClientHellos, which, precision aside, was already public > information from the receive time (with ticket as correlator). The timestamp > of the ticket-minting connection is as secret as before. That sounds like fine reasoning to me. XOR or addition are both easy enough to specify. _______________________________________________ TLS mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=ryrz7HkNEVNbEb9yKsanQ1ZrOyiVdYuv8BDMJOF55s0&s=ftTVBbImgxjUem3AV87OqX3q_RKQKE1SJ7SGePOhWyc&e= _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
