On Tue, May 02, 2017 at 12:39:06PM -0500, Nico Williams wrote: > On Tue, May 02, 2017 at 01:33:37PM -0400, Viktor Dukhovni wrote: > > > > There's also an observation there that it should really be that > > > clients "MUST" use tickets only once. Any re-use likely discloses > > > the obfuscated ticket age, which is intended to be secret. Right now > > > it's a "SHOULD". > > Why should ticket age disclosure be a problem? How does ticket one-time > use not do the same?
Ticket re-use is the reason why the masking uses add modulo 2^32 instead of xor (which is more common). Using add for masking does not leak identity of the parent session (xor would leak it) even on re-use. And ticket-reuse leaks the fact that the child sessions are related anyway, nothing that can be done about that. -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
