Re: [TLS] SNI and tickets and resumption
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 11 August 2014 20:11 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87FE81A0002 for <tls@ietfa.amsl.com>; Mon, 11 Aug 2014 13:11:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OaVeqSA8_u6M for <tls@ietfa.amsl.com>; Mon, 11 Aug 2014 13:11:51 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D18E81A0004 for <tls@ietf.org>; Mon, 11 Aug 2014 13:11:51 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 80ED52AB2BD; Mon, 11 Aug 2014 20:11:49 +0000 (UTC)
Date: Mon, 11 Aug 2014 20:11:49 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140811201149.GX14392@mournblade.imrryr.org>
References: <53E8467B.2090609@delignat-lavaud.fr> <20140811183159.145C81AE02@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140811183159.145C81AE02@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hEQ_XjNP3modboIyjP138gbJXrA
Subject: Re: [TLS] SNI and tickets and resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 20:11:53 -0000
On Mon, Aug 11, 2014 at 08:31:59PM +0200, Martin Rex wrote: > Normally, I would assume that the client-side session cache is organized/ > indexed by the information that is used for server endpoint identification, > and a client should not be proposing session resumption of a cached session > that would fail server endpoint identification. Exactly! This is, for example, how the Postfix client session cache is keyed. With DANE, the session lookup key even covers the current peer TLSA RRset, so that when TLSA RRs change, the client negotiates a new session. If the client proposes a session with an SNI name it would not accept for the certificate chain of the cached session, that's the client's fault. -- Viktor.
- [TLS] SNI and tickets and resumption Salz, Rich
- Re: [TLS] SNI and tickets and resumption Adam Langley
- Re: [TLS] SNI and tickets and resumption Salz, Rich
- Re: [TLS] SNI and tickets and resumption Martin Thomson
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Adam Langley
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Sajeev S
- Re: [TLS] SNI and tickets and resumption Brian Sniffen
- Re: [TLS] SNI and tickets and resumption Antoine Delignat-Lavaud
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Viktor Dukhovni
- Re: [TLS] SNI and tickets and resumption Viktor Dukhovni