Hi Hannes, I am simply rewording what's in the current BCP draft.
I believe the BCP draft is referring to the base RFC as rfc5077 is an informative not normative reference in the BCP draft but maybe I am reading too much by that. Trevor -----Original Message----- From: Hannes Tschofenig [mailto:[email protected]] Sent: Wednesday, May 28, 2014 11:56 AM To: Trevor Freeman; [email protected] Subject: Re: [Uta] TLS BCP Session Resumption Hi Trevor, are you talking about session resumption as defined in the base TLS RFC or about session resumption without server-side state (RFC 5077) ? Since you talk about tickets in your mail below I believe you are talking about the latter. Note that the ticket is an implementation choice of the server operator and the RFC only gives an example. Ciao Hannes On 05/28/2014 08:30 PM, Trevor Freeman wrote: > I think the guidance on session resumption needs to be more > prescriptive as to what constitutes the best practice. > > > > The session resumption behavior as a whole needs to be a SHOULD. > > > > However if you support Session resumption behavior then :- > > * The session tickets MUST be encrypted with an equivalent > cipher to the main TLS cipher > > * Session ticket lifetime MUST be limited to < 1 day > > * Ticket keys MUST be changed at least once a week. > > > > You may have reasons to not follow these guidelines, but to do so > would not be a best practice. > > Trevor > > > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta > _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
