> On May 6, 2017, at 8:51 PM, Eric Rescorla <e...@rtfm.com> wrote:
>
> Yes, they can. But doing so leaks a unique identifier, which can be used
> to link sessions. When I look at the privacy implications as well as the
> replay attacks, there is real value in using a resume ticket only once.
>
> Agreed. Also, I think that's Ben Kaduk you're quoting :)
Agreed, on the general case, but a reminder that not all applications
benefit from such "privacy". A sending SMTP MTA has a fixed public
IP address, and even sends a fixed fixed SMTP "HELO" name in the clear
before STARTTLS. It might of course also send SNI in the clear, ...
and will typically perform cleartext DNS queries that identify the
peer. There is exceedingly little opportunity or desire to hide client
and server host names. So some applications will reuse session tickets
(while avoiding 0-RTT).
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
