> On Apr 28, 2017, at 2:29 PM, Eric Rescorla <[email protected]> wrote:
>
>> What does this mean in practice? What happens if Postfix continues to use
>> the
>> same ticket multiple times anyway? Will servers somehow invalidate the
>> ticket
>> after first use? Are the consequences of reuse more severe than with TLS
>> 1.2?
>
> Shouldn't be. Mostly, it allows attackers to correlate multiple sessions from
> the same
> client, which sounds like it's not an issue in your case.
Well, the server 220 banner, client EHLO command and server 250 EHLO response
that
precede STARTTLS pretty much take care of correlating sessions from the same
client.
Also SMTP is not usually tunneled through proxies, and there is no issue
similar to
identifying which HTTP pages a client is loading by correlating multiple
requests.
Each message delivery is independent.
Just the client and server IP addresses leak essentially all the data of
interest.
The only thing not leaked by these is leaked via SNI and DNS MX lookups.
So I take it that reuse would (in this case) be reasonably harmless.
So I can use the "latest" tickets as often as it remains the "latest"
ticket. And servers will likely cooperate?
The only change might then be that I might see a much higher rate of session
updates as each handshake obtains another new ticket? Unless of course whether
to issue a new ticket, or let the current ticket stand is left to the
application.
This raises an interoperability question:
* Should SMTP servers always issue a new ticket when a client resumes a
session with an existing ticket?
On the one hand, a lot of churn can be saved if the server can replace only
tickets that are close to expiring.
On the other hand, if most clients follow the draft recommendation and discard
tickets on first use, then not issuing a replacement ticket each time will mean
that each session will be resumed just once, and 50% of connections will incur
the cost of a full handshake.
Is the question of whether/when to issue new tickets expected to be part of
an "application profile"? Do we need a TLS 1.3 application profile for SMTP?
Or just issue a fresh ticket on every resumption?
--
Viktor.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
