[TLS] comments & clarifications for rfc4507bis
"Nagendra Modadugu" <ngm+ietf@google.com> Wed, 03 October 2007 22:43 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IdCwD-0001B7-Di; Wed, 03 Oct 2007 18:43:29 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IdCwC-0001B1-9r for tls@ietf.org; Wed, 03 Oct 2007 18:43:28 -0400
Received: from smtp-out.google.com ([216.239.45.13]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IdCw6-0005OR-2Y for tls@ietf.org; Wed, 03 Oct 2007 18:43:28 -0400
Received: from zps75.corp.google.com (zps75.corp.google.com [172.25.146.75]) by smtp-out.google.com with ESMTP id l93Mh5IV002736 for <tls@ietf.org>; Wed, 3 Oct 2007 15:43:06 -0700
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=received:message-id:date:from:sender:to:subject: in-reply-to:mime-version:content-type: content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=kKYR1KRLK2ryR9X9A5BxeFFnIS3aaLzOmtM026LAvTt4PdO+AL9ZpzlOMoo2kVqan +YdqyHzuTu09NoRPLOB/A==
Received: from nf-out-0910.google.com (nfdb21.prod.google.com [10.48.129.21]) by zps75.corp.google.com with ESMTP id l93MgOBp022018 for <tls@ietf.org>; Wed, 3 Oct 2007 15:43:02 -0700
Received: by nf-out-0910.google.com with SMTP id b21so3317291nfd for <tls@ietf.org>; Wed, 03 Oct 2007 15:43:02 -0700 (PDT)
Received: by 10.86.78.4 with SMTP id a4mr973347fgb.1191451382308; Wed, 03 Oct 2007 15:43:02 -0700 (PDT)
Received: by 10.86.73.14 with HTTP; Wed, 3 Oct 2007 15:43:02 -0700 (PDT)
Message-ID: <28425e380710031543i28a1274bl6cf25fd270ed3c2d@mail.gmail.com>
Date: Wed, 03 Oct 2007 15:43:02 -0700
From: Nagendra Modadugu <ngm+ietf@google.com>
To: tls@ietf.org
In-Reply-To: <28425e380710031503x4c26b1b1r97b9f18fa8892787@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <28425e380710031503x4c26b1b1r97b9f18fa8892787@mail.gmail.com>
X-Google-Sender-Auth: 2b21766c39d0f085
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Cc:
Subject: [TLS] comments & clarifications for rfc4507bis
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Apologies if the points below have been previously addressed. The
comments below are in reference to the version of the draft dated
August 27, 2007.
S3.3: The server MUST NOT assume that the client actually received the updated
ticket until it successfully verifies the client's Finished
message.
This text seems incorrect. The full-handshake case is actually a bit
awkward, since the server cannot assume that the ticket has been
received (by the client) until application data is received from the client.
S3.4: If a server is planning on issuing a SessionTicket to a client
that does not present one, it SHOULD include an empty Session ID in the
ServerHello. If the server includes a non-empty session ID, then it
is indicating intent to use stateful session resume. If the client
receives a SessionTicket from the server, then it discards any
Session ID that was sent in the ServerHello.
Why are servers afforded the flexibility of simultaneously including an
extension and session ID? Or differently put, why should a server ever
need to generate a session ID if it intends to do stateless resumes?
(Session IDs generated by the server will be discarded by the client in
any case.)
S3.4: In this case, the client ignores the Session ID sent in
the ServerHello ...
"the Session ID" -> "the Session ID (whether empty or non-empty)"
S3.4: If the server accepts the ticket and the Session ID is not empty,
then it MUST respond with the same Session ID present in the
ClientHello. This allows the client to easily differentiate when
the server is resuming a session from when it is falling back to a
full handshake.
What if the server rejects the ticket in this case? It seems
reasonable that the server responds with an empty session ID to
indicate to the client that a full-handshake is being initiated.
Thanks,
nagendra
_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
- [TLS] comments & clarifications for rfc4507bis Nagendra Modadugu
- [TLS] comments & clarifications for rfc4507bis Nagendra Modadugu
- RE: [TLS] comments & clarifications for rfc4507bis Joseph Salowey (jsalowey)
- Re: [TLS] comments & clarifications for rfc4507bis Nagendra Modadugu
- [TLS] Re: comments & clarifications for rfc4507bis Nagendra Modadugu
- RE: [TLS] comments & clarifications for rfc4507bis Joseph Salowey (jsalowey)
- Re: [TLS] comments & clarifications for rfc4507bis Mike