Re: [quicwg/base-drafts] Text on session resumption (#3566)

Christian Huitema <> Wed, 08 April 2020 04:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0372B3A0AE5 for <>; Tue, 7 Apr 2020 21:22:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.863
X-Spam-Status: No, score=-1.863 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2MHkD1RNYzDL for <>; Tue, 7 Apr 2020 21:22:29 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 81F6E3A0AE1 for <>; Tue, 7 Apr 2020 21:22:29 -0700 (PDT)
Date: Tue, 07 Apr 2020 21:22:28 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1586319748; bh=AJEqY19O/y95RqhC2IuwEjmcUfz8Ie2spf76qB53fFU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=rGb7ysyoJBGIsAoDqOWXElB0bQtLpUgwxoCpTvbdlhWqIOWfxG7l6FC6XytMAUcIt A9jqwtPRR6NARtSztcyIQOX937yucuqntay4NNRc4ECG2mpjWNN79zjgBGYnRSYJHf xrtuyTmd/14QV5Sk+koAXe4I8mmVlTZiUGPLjxYU=
From: Christian Huitema <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3566/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Text on session resumption (#3566)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e8d51846a920_357b3fb2faacd964119214"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Apr 2020 04:22:31 -0000

@huitema commented on this pull request.

As I said in the text comment, this is good. Only open question is whether there should be a "privacy consideration" note in the security section.

> +that some information be retained; see Section 4.6.1 of {{!TLS13}}. QUIC itself
+does not depend on any state being retained when resuming a connection, unless
+0-RTT is also used; see {{enable-0rtt}} and Section 7.3.1 of
+{{QUIC-TRANSPORT}}. Application protocols could depend on state that is
+retained between resumed connections.
+Clients can store any state required for resumption along with the session
+ticket. Servers can use the session ticket to help carry state.
+Session resumption allows servers to link activity on the original connection
+with the resumed connection, which might be a privacy issue for clients.
+Clients can choose not to enable resumption to avoid creating this correlation.
+Client SHOULD NOT reuse tickets as that allows entities other than the server
+to correlate connection; see Section C.4 of {{!TLS13}}.

Looks good. Simple and to the point. My only reservation is about the security section. Session resumption allows tracking by the server, and this is arguably a security issue. The text here properly describes the concern and the remediation, but I wonder whether should there be a mention of these potential privacy issues in the security section.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: