> On May 6, 2017, at 8:51 PM, Eric Rescorla <e...@rtfm.com> wrote: > > Yes, they can. But doing so leaks a unique identifier, which can be used > to link sessions. When I look at the privacy implications as well as the > replay attacks, there is real value in using a resume ticket only once. > > Agreed. Also, I think that's Ben Kaduk you're quoting :)
Agreed, on the general case, but a reminder that not all applications benefit from such "privacy". A sending SMTP MTA has a fixed public IP address, and even sends a fixed fixed SMTP "HELO" name in the clear before STARTTLS. It might of course also send SNI in the clear, ... and will typically perform cleartext DNS queries that identify the peer. There is exceedingly little opportunity or desire to hide client and server host names. So some applications will reuse session tickets (while avoiding 0-RTT). -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls