I think the guidance on session resumption needs to be more prescriptive as to what constitutes the best practice.
The session resumption behavior as a whole needs to be a SHOULD. However if you support Session resumption behavior then :- * The session tickets MUST be encrypted with an equivalent cipher to the main TLS cipher * Session ticket lifetime MUST be limited to < 1 day * Ticket keys MUST be changed at least once a week. You may have reasons to not follow these guidelines, but to do so would not be a best practice. Trevor
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
