Re: [TLS] Unifying tickets and sessions

[Hubert Kario <hkario@redhat.com>]

On Thursday 23 October 2014 19:21:08 Richard Fussenegger wrote:
> On 10/23/2014 4:03 PM, Hubert Kario wrote:
> > While it may negotiate AES-256 (because it wants to interoperate with
> > clients that are configured to not to present weaker ciphers), doesn't
> > mean that it as a whole is configured to the 256 bit level of
> > security. With TLS1.2 it may sign the (EC)DHE parameters using SHA-1,
> > it may use RSA key exchange using only 2048 bit keys, it may be just a
> > local proxy server that is hard coded to connect using AES-128 with
> > the backed servers over open Internet. Yes, server should encrypt the
> > tickets with as strong algorithm as its most secure cipher, but there
> > are many situations where it's not necessary. "MUST" is certainly not
> > applicable.
> 
> Those are good and valid arguments for a RECOMMENDED regarding session
> ticket/token key algorithms or simply dropping one word and uppercasing
> another does the trick (?):

yes, I agree.

> 
> https://tools.ietf.org/html/rfc5077#section-5.5
> 
> >    o  The keys and cryptographic protection algorithms should be at
> >    
> >       least 128 bits in strength.  Some ciphersuites and applications
> > 
> > -     may require cryptographic protection greater than 128 bits in
> > +     REQUIRE cryptographic protection greater than 128 bits in
> > 
> >       strength.
> 
> But the MUST regarding key rotation, key discarding, and key count hard
> limits is still appropriate in my opinion because PFS is a MUST in TLS
> 1.3 (unless this has changed and I didn't read about it).

Yes, while a large key size is recommended ("SHOULD"), a frequent key rotation 
(in order of days) is a "MUST" with shorter time scales recommended, given 
other parts of TLS 1.3.

-- 
Regards,
Hubert Kario