Re: [TLS] Unifying tickets and sessions

Richard Fussenegger <richard@fussenegger.info> Tue, 21 October 2014 17:35 UTC

Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE25B1A1B4B for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 10:35:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YGQP69QFM0xA for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 10:35:03 -0700 (PDT)
Received: from mx201.easyname.com (mx201.easyname.com [212.232.28.122]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 690A21A1B4A for <tls@ietf.org>; Tue, 21 Oct 2014 10:35:02 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1XgdKh-0004Ma-Nt for tls@ietf.org; Tue, 21 Oct 2014 19:34:59 +0200
Message-ID: <5446992E.7000609@fussenegger.info>
Date: Tue, 21 Oct 2014 19:34:38 +0200
From: Richard Fussenegger <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <5445775E.3050108@fussenegger.info> <54458113.1050304@polarssl.org> <20141020235832.GK19158@mournblade.imrryr.org> <544606E5.2070807@fussenegger.info> <20141021163414.GQ19158@mournblade.imrryr.org>
In-Reply-To: <20141021163414.GQ19158@mournblade.imrryr.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms000708030600080108040306"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9ULODmR7bW2ii6uqmVjvJpiYdtM
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 17:35:06 -0000

Many thanks for this information, didn't know that until now.

Richard

On 10/21/2014 6:34 PM, Viktor Dukhovni wrote:
> On Tue, Oct 21, 2014 at 09:10:29AM +0200, Richard Fussenegger, BSc wrote:
>
>> I was to vague in regards to implementation, sorry. Of course we only want a
>> single key or rather one long blob of random data to manage. The idea of
>> using a key length of at least the 'highest supported ciphers'[*] sounds
>> very good to me and would honor the ciphers in use. By always using a 128
>> bit key (current OpenSSL implementation) higher ciphers are essentially
>> downgraded.
> OpenSSL gives applications the freedom to use alternative keys and algorithms:
>
>      http://www.postfix.org/postconf.5.html#tls_session_ticket_cipher
>
> For now Postfix defaults to aes-128-cbc, I might change the default
> to aes-256-cbc before 2.12 ships.
>