On Sun, Mar 12, 2017 at 3:44 PM, Martin Thomson <martin.thom...@gmail.com> wrote:
> On 13 March 2017 at 09:23, Ivan Ristic <ivan.ris...@gmail.com> wrote: > > - Finally, I feel that the effective removal of (visible) session IDs is > a > > regression. Being able to track sessions and resumption is useful to > > understand traffic patterns. So, I'd prefer to bring session IDs back, > and > > to arrange things so that they're always server-generated. > > For some people, tracking is an anti-feature. > Sure, but the current session ticket design doesn't prevent tracking. At best, it only makes it somewhat more expensive because trackers need to construct their own session IDs from available connection data. Another example, perhaps relevant: load balancers can often be configured to use sticky sessions based on TLS session IDs. It's a useful feature given that web servers typically don't have a good story for distributed server-side TLS session storage. Without an explicit ID, they too would need to make their own. -- Ivan
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls