Re: [TLS] Session Lifetime

Seth David Schoen <> Mon, 29 November 2010 17:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4757428C18A for <>; Mon, 29 Nov 2010 09:58:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_81=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iJP+Q-k-FY1T for <>; Mon, 29 Nov 2010 09:58:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D726C28C11B for <>; Mon, 29 Nov 2010 09:58:02 -0800 (PST)
Received: from sescenties (localhost []) by (Postfix) with ESMTP id 9DC71BE189; Mon, 29 Nov 2010 09:59:13 -0800 (PST)
Date: Mon, 29 Nov 2010 09:59:12 -0800
From: Seth David Schoen <>
To: Eric Rescorla <>
Message-ID: <20101129175911.GA19368@sescenties>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [TLS] Session Lifetime
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Nov 2010 17:58:04 -0000

Eric Rescorla writes:

> The upper limit is just a suggestion anyway.
> I'm unaware of any reason why weeks to months isn't acceptab;e.

One concern is that resumed sessions work like cookies to identify
users, but users may not have convenient ways to control them as
they can control cookies.  There has been recent concern about
browser functionality that is equivalent to HTTP cookies but not
subject to user control like cookies.

Session resumption can have this effect too.

Of course, this concern is attenuated for sites where users have
to log in and have only one account, but it could be meaningful on
HTTPS sites where users have no account or have multiple accounts.

A separate performance consideration is that ideally the client
and server should have matched expectations about how long to
expect sessions to persist -- whether that's "not at all" or "a