[TLS] comments & clarifications for rfc4507bis
"Nagendra Modadugu" <ngm+ietf@google.com> Wed, 03 October 2007 22:43 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IdCwD-0001B7-Di; Wed, 03 Oct 2007 18:43:29 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IdCwC-0001B1-9r for tls@ietf.org; Wed, 03 Oct 2007 18:43:28 -0400
Received: from smtp-out.google.com ([216.239.45.13]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IdCw6-0005OR-2Y for tls@ietf.org; Wed, 03 Oct 2007 18:43:28 -0400
Received: from zps75.corp.google.com (zps75.corp.google.com [172.25.146.75]) by smtp-out.google.com with ESMTP id l93Mh5IV002736 for <tls@ietf.org>; Wed, 3 Oct 2007 15:43:06 -0700
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=received:message-id:date:from:sender:to:subject: in-reply-to:mime-version:content-type: content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=kKYR1KRLK2ryR9X9A5BxeFFnIS3aaLzOmtM026LAvTt4PdO+AL9ZpzlOMoo2kVqan +YdqyHzuTu09NoRPLOB/A==
Received: from nf-out-0910.google.com (nfdb21.prod.google.com [10.48.129.21]) by zps75.corp.google.com with ESMTP id l93MgOBp022018 for <tls@ietf.org>; Wed, 3 Oct 2007 15:43:02 -0700
Received: by nf-out-0910.google.com with SMTP id b21so3317291nfd for <tls@ietf.org>; Wed, 03 Oct 2007 15:43:02 -0700 (PDT)
Received: by 10.86.78.4 with SMTP id a4mr973347fgb.1191451382308; Wed, 03 Oct 2007 15:43:02 -0700 (PDT)
Received: by 10.86.73.14 with HTTP; Wed, 3 Oct 2007 15:43:02 -0700 (PDT)
Message-ID: <28425e380710031543i28a1274bl6cf25fd270ed3c2d@mail.gmail.com>
Date: Wed, 03 Oct 2007 15:43:02 -0700
From: Nagendra Modadugu <ngm+ietf@google.com>
To: tls@ietf.org
In-Reply-To: <28425e380710031503x4c26b1b1r97b9f18fa8892787@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <28425e380710031503x4c26b1b1r97b9f18fa8892787@mail.gmail.com>
X-Google-Sender-Auth: 2b21766c39d0f085
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Cc:
Subject: [TLS] comments & clarifications for rfc4507bis
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Apologies if the points below have been previously addressed. The comments below are in reference to the version of the draft dated August 27, 2007. S3.3: The server MUST NOT assume that the client actually received the updated ticket until it successfully verifies the client's Finished message. This text seems incorrect. The full-handshake case is actually a bit awkward, since the server cannot assume that the ticket has been received (by the client) until application data is received from the client. S3.4: If a server is planning on issuing a SessionTicket to a client that does not present one, it SHOULD include an empty Session ID in the ServerHello. If the server includes a non-empty session ID, then it is indicating intent to use stateful session resume. If the client receives a SessionTicket from the server, then it discards any Session ID that was sent in the ServerHello. Why are servers afforded the flexibility of simultaneously including an extension and session ID? Or differently put, why should a server ever need to generate a session ID if it intends to do stateless resumes? (Session IDs generated by the server will be discarded by the client in any case.) S3.4: In this case, the client ignores the Session ID sent in the ServerHello ... "the Session ID" -> "the Session ID (whether empty or non-empty)" S3.4: If the server accepts the ticket and the Session ID is not empty, then it MUST respond with the same Session ID present in the ClientHello. This allows the client to easily differentiate when the server is resuming a session from when it is falling back to a full handshake. What if the server rejects the ticket in this case? It seems reasonable that the server responds with an empty session ID to indicate to the client that a full-handshake is being initiated. Thanks, nagendra _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] comments & clarifications for rfc4507bis Nagendra Modadugu
- [TLS] comments & clarifications for rfc4507bis Nagendra Modadugu
- RE: [TLS] comments & clarifications for rfc4507bis Joseph Salowey (jsalowey)
- Re: [TLS] comments & clarifications for rfc4507bis Nagendra Modadugu
- [TLS] Re: comments & clarifications for rfc4507bis Nagendra Modadugu
- RE: [TLS] comments & clarifications for rfc4507bis Joseph Salowey (jsalowey)
- Re: [TLS] comments & clarifications for rfc4507bis Mike