Hi Trevor, are you talking about session resumption as defined in the base TLS RFC or about session resumption without server-side state (RFC 5077) ? Since you talk about tickets in your mail below I believe you are talking about the latter.
Note that the ticket is an implementation choice of the server operator and the RFC only gives an example. Ciao Hannes On 05/28/2014 08:30 PM, Trevor Freeman wrote: > I think the guidance on session resumption needs to be more prescriptive > as to what constitutes the best practice. > > > > The session resumption behavior as a whole needs to be a SHOULD. > > > > However if you support Session resumption behavior then :- > > · The session tickets MUST be encrypted with an equivalent > cipher to the main TLS cipher > > · Session ticket lifetime MUST be limited to < 1 day > > · Ticket keys MUST be changed at least once a week. > > > > You may have reasons to not follow these guidelines, but to do so would > not be a best practice. > > Trevor > > > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
