On Tue, Jul 2, 2013 at 10:07 AM, Adam Back <a...@cypherspace.org> wrote: > On Tue, Jul 02, 2013 at 11:48:02AM +0100, Ben Laurie wrote: >> >> On 2 July 2013 11:25, Adam Back <a...@cypherspace.org> wrote: >>> >>> does it provide forward secrecy (via k' = H(k)?). >> >> >> Resumed [SSL] sessions do not give forward secrecy. Sessions should be >> expired regularly, therefore. > > > That seems like an SSL protocol bug no? With the existence of forward > secret ciphersuites, the session resumption cache mechanism itself MUST > exhibit forward secrecy.
The whole point of session resumption is to make that fast. It can't be too fast if it implies public key cryptography. Now, with ECC DH it's probably fast enough anyways, so, yes, we should do this. > Do you think anyone would be interested in fixing that? It's already possible to resume then renegotiate with an anon ECC DH cipher suite. Oh, wait, no, anon ECC DH with AES cipher suites were left out (by accident). So the fix might just be to register the missing cipher suites and always renego with one of those immediately after resuming a session. We could then work on a round-trip optimized session resumption with PFS feature. But first we'd have to get users to use cipher suites with PFS. We're not really there. Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography