Re: [quicwg/base-drafts] Why does stateless reset have to be checked after MAC failure (#2152)

MikkelFJ <> Mon, 26 August 2019 11:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 129B7120124 for <>; Mon, 26 Aug 2019 04:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.454
X-Spam-Status: No, score=-6.454 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id m1-vJjhOM-Ud for <>; Mon, 26 Aug 2019 04:21:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A9151200C3 for <>; Mon, 26 Aug 2019 04:21:32 -0700 (PDT)
Date: Mon, 26 Aug 2019 04:21:31 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1566818491; bh=bdibUuxmZpptONhNWYvNa60iyFmr7w26u/fbVThesBs=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=OcvfR6Virv16qOl9v7LR8NhYV6dKg+2OEWR+7P1FwmiPd5Ln/CMUAJkqU/rLKpj70 rZYBVDVeOPDzmn89bXzgUAn2Lr9kKm4qZgMUQOsSkTOiel0SVlkOOu5AoW7fC+YQ8v HQ7zrIn2xRWaj9iFmfYGqgUmU2Pzml/ASxc9wx18=
From: MikkelFJ <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2152/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Why does stateless reset have to be checked after MAC failure (#2152)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d63c0bb8a653_2173fc35b6cd96086056"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Aug 2019 11:21:34 -0000

A related problem is the use of API access tokens. Many people argue against JWT token validation because you cannot retire a JWT token. But a JWT token is easy to verify in constant time. An opaque access token must be looked up, and this is very hard to do constant time. This could be major security concern on the internet at large.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: