On Tue, Jan 29, 2019 at 11:53 PM David Benjamin <david...@chromium.org> wrote:
> On Tue, Jan 29, 2019 at 4:14 PM Subodh Iyengar <sub...@fb.com> wrote: > >> > Wouldn't this issue also be mitigated by requiring the server to >> re-authenticate during resumption with the certificate once in a while? >> >> I think it's probably just easier to drop the resumption completely. >> >> > This two-lifetime thing is actually already what we implement in >> BoringSSL. 😊 >> >> Fantastic. Would it help to have an extension to set a lower bound on >> this value, or just make it more painful? >> > > (Did you mean upper bound?) > > I'd actually interpreted the RFC 8446 text to imply a 7 day upper bound on > the renewability, but apparently that's not how others read it! > That was also our understanding in the implementation for gnutls. regards, Nikos
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
