Re: [TLS] Proposed text for removing renegotiation

Brian Smith <brian@briansmith.org> Wed, 28 May 2014 17:26 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 050B71A04A2 for <tls@ietfa.amsl.com>; Wed, 28 May 2014 10:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLcuYFntWRDZ for <tls@ietfa.amsl.com>; Wed, 28 May 2014 10:26:09 -0700 (PDT)
Received: from mail-qg0-f46.google.com (mail-qg0-f46.google.com [209.85.192.46]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 365201A01C3 for <tls@ietf.org>; Wed, 28 May 2014 10:26:09 -0700 (PDT)
Received: by mail-qg0-f46.google.com with SMTP id q108so18266649qgd.19 for <tls@ietf.org>; Wed, 28 May 2014 10:26:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hsux7Va3t6KZiSd1/hXsDaXUkB3KJKLW3sKxQaPrAUk=; b=T9E7IYkmijlpKBCaligazXqJ5u/yyZwlhSdo4Yvn3N/23YKsBu2jZPKH46RrhGGk7b N3NL/Z2m+fh5037raiRiaaPOQvkE4pIF/Orf3AQshjZFO7YpaJyFLbrIf5dHBZmrTFUt EDkpKlDXIcxVH+STmDEOn/x7boHu8gchHOHHTHOr3wXPH/zG1c2bHiYwVQ+tGszBSP6u o/ELcrazZZjMj4B2nmGZgcpPg3lqwAxSwMsYu2m9oXtps/4WD8I6rquP2VVvUbIx00aG i+ZVhuDhTOuz858idgHDw5/f4nyk5Jir+KAftzXlFUeqdmi9PITZxtkWSeLMirFpWD+b P2vg==
X-Gm-Message-State: ALoCoQkOu37846Fd6vpOay+pMxjlRoZOg3eiePF7YUnOIrURajvvshLsn47p71Rdqz0w7RoBLm1d
MIME-Version: 1.0
X-Received: by 10.224.36.141 with SMTP id t13mr1295527qad.75.1401297965228; Wed, 28 May 2014 10:26:05 -0700 (PDT)
Received: by 10.224.201.193 with HTTP; Wed, 28 May 2014 10:26:05 -0700 (PDT)
In-Reply-To: <20140528004408.D184F1AD1D@ld9781.wdf.sap.corp>
References: <CABkgnnXaLKmxXL01hQEdxHSNGt3nZQQNBLDD5H2LqBzTo3vK4g@mail.gmail.com> <20140528004408.D184F1AD1D@ld9781.wdf.sap.corp>
Date: Wed, 28 May 2014 10:26:05 -0700
Message-ID: <CAFewVt65X1V6=A_HP_pcg=6nXNVFLxQmSsPB2rq1KvmGPRz+og@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: mrex@sap.com
Content-Type: multipart/alternative; boundary=089e0149d0e471370c04fa791bc0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/yljLtSoSeWukNqiFTXczQfQDI80
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Proposed text for removing renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2014 17:26:10 -0000

On Tue, May 27, 2014 at 5:44 PM, Martin Rex <mrex@sap.com> wrote:

> Conceptually, the TLS session cache is readonly after an entry
> is created, and that is GOOD, i.e. full TLS handshakes create new,
> distict session cache entries, and abbreviated TLS handshakes resume
> existing session cache entries and *NEVER* modify them.
>

That is not true. During session resumption, the server can send a new
session ticket for the existing session and the client has the option of
adding the new ticket to the session (and removing the old ticket).

Also often timestamps (e.g. for LRU replacement bookkeeping) and/or
counters (e.g. for cache hit rate statistics) in a session are updated
during resumption, though these are "just" implementation issues.

Cheers,
Brian