Bernard Aboba <aboba@xxxxxxxxxxxxx> writes: >> In the extreme case (client gets different server every time, and none >> of the servers can understand tickets generated by other servers), it >> will degrade to normal TLS (full handshake done every time). > >>From what I can see, the Ticket structure does not uniquely identify the > ticket type or ticket version, so that there is no easy way for the server > to determine what type of ticket has been submitted to it, or whether the > client is using the recommended format or not. The server checks the mac > in the last 20 octets, and if this is valid, then it decrypts the > encrypted_state. However, if the client were using the same mac, but a > different ticket format, the mac could check out, but the StatePlaintext > would not match. A Ticket Type/Version field would make it clear to the > server whether it is handling a Ticket of known type. I'm not sure I understand this, Bernard. The client doesn't need to know anything about the ticket format or get to decide anything about the mac. It's just the server talking to itself. -Ekr _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf