Re: [TLS] Session Lifetime
Seth David Schoen <schoen@eff.org> Mon, 29 November 2010 17:58 UTC
Return-Path: <schoen@eff.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4757428C18A for <tls@core3.amsl.com>; Mon, 29 Nov 2010 09:58:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level:
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_81=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iJP+Q-k-FY1T for <tls@core3.amsl.com>; Mon, 29 Nov 2010 09:58:02 -0800 (PST)
Received: from mail1.eff.org (mail1.eff.org [64.147.188.4]) by core3.amsl.com (Postfix) with ESMTP id D726C28C11B for <tls@ietf.org>; Mon, 29 Nov 2010 09:58:02 -0800 (PST)
Received: from sescenties (localhost [127.0.0.1]) by mail1.eff.org (Postfix) with ESMTP id 9DC71BE189; Mon, 29 Nov 2010 09:59:13 -0800 (PST)
Date: Mon, 29 Nov 2010 09:59:12 -0800
From: Seth David Schoen <schoen@eff.org>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20101129175911.GA19368@sescenties>
References: <4CE484F1.2010403@pobox.com> <201011180251.oAI2pNSA015204@fs4113.wdf.sap.corp> <AANLkTi=fBfv01aZkbgUWnJ8FvqhevTrx99LcX8VmWuu6@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTi=fBfv01aZkbgUWnJ8FvqhevTrx99LcX8VmWuu6@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: tls@ietf.org
Subject: Re: [TLS] Session Lifetime
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2010 17:58:04 -0000
Eric Rescorla writes: > The upper limit is just a suggestion anyway. > > I'm unaware of any reason why weeks to months isn't acceptab;e. One concern is that resumed sessions work like cookies to identify users, but users may not have convenient ways to control them as they can control cookies. There has been recent concern about browser functionality that is equivalent to HTTP cookies but not subject to user control like cookies. https://www.isecpartners.com/files/iSEC_Cleaning_Up_After_Cookies.pdf http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862 Session resumption can have this effect too. Of course, this concern is attenuated for sites where users have to log in and have only one account, but it could be meaningful on HTTPS sites where users have no account or have multiple accounts. A separate performance consideration is that ideally the client and server should have matched expectations about how long to expect sessions to persist -- whether that's "not at all" or "a year".
- [TLS] Session Lifetime Michael D'Errico
- Re: [TLS] Session Lifetime Martin Rex
- Re: [TLS] Session Lifetime Eric Rescorla
- Re: [TLS] Session Lifetime Seth David Schoen
- Re: [TLS] Session Lifetime Steingruebl, Andy
- Re: [TLS] Session Lifetime Eric Rescorla
- Re: [TLS] Session Lifetime Marsh Ray
- Re: [TLS] Session Lifetime Martin Rex