On Thu, Jun 23, 2016 at 01:37:14PM +1000, Martin Thomson wrote: > When implementing 0-RTT, an in particular the ticket_age extension, we > discovered that this greatly increases the complexity of the server > state machine. > > David Benjamin rather flippantly described a solution to this problem: > XOR the ticket age value with something that is either derived from > the old session keys or was included in the NewSessionTicket message. > > I propose we take David's solution. After all, simple is better: > > https://github.com/tlswg/tls13-spec/pull/503
I don't see a warning that reusing a ticket with that scheme causes the "masking" to break (the classic "multiple time pad" broken scheme). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
